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EMAIL ACCESS CONTROL SCHEME FOR COMMUNICATION NETWORK 
USING IDENTIFICATION CONCEALMENT MECHANISM 

5 BACKGROUND OF THE INVENTION 
FIELD OF THE INVENTION 

The present invention relates to an email access 
control scheme for controlling transmission and reception 
10 of emails by controlling accesses for communications from 
other users whose identifications on the communication 
network are concealed while concealing an identification of 
a recipient on the communication network. 

15 DESCRIPTION OF THE BACKGROUND ART 

In conjunction with the spread of the Internet, the 
SPAM and the harassment using emails are drastically 
increasing. The SPAM is a generic name for emails or news 
that are unilaterally sent without any consideration to the 

20 recipient's time consumption, economical and mental 
burdens. The SPAM using emails are also known as UBE 
(Unsolicited Bulk Emails) or UCE (Unsolicited Commercial 
Emails) . 

The SPAM is sent indiscriminately regardless of the 
25 recipient's age, sex, interests, etc., so that the SPAM 
often contains an uninteresting or unpleasant content for 
the recipient. Moreover, the time consumption load and the 
economical load required for receiving the SPAM is not so 
small. For the business user, the SPAM can cause the 
30 lowering of the working efficiency as it becomes hard to 
find important mails that are buried among the SPAM. Also, 
as the SPAM Is sent to a huge number of users, the SPAM 
wastes the network resources and in the worst case the SPAM 
can cause the overloading. As a result, there case be cases 
35 where mails that are important for the user may be lost. 
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Also, the SPAM is sent either anonymously or by pretending 
someone else so that there is a need to provide some human 
resources to handle complaints. 

On the other hand, the harassment is an act for keep 
5 sending mails with unpleasant contents for the user 
continually on the purpose of causing: mental agony or 
exerting economical and time consumption burdens to the 
specific user. Similarly as the SPAM, the harassment mails 
are sent by pretending an actual or virtual third person, 
10 so that the identification of the sender is quite 

difficult. Also, there are cases where a large capacity 
mail is sent or a large amount of mails are sent in short 
period of time so that there is a danger of causing the 
system breakdown. 
15 In order to deal with the SPAM and the harassment, the 

mail system is required to satisfy the following 
requirements . 

* Security 

It is necessary to detect the pretending by the sender 
20 and refuse the delivery from the pretending sender. 
01 * Strength 

It is necessary to limit the mail capacity in order to 
circumvent the system breakdown due to the large capacity 
mail. It Is also necessary to limit the number of 
25 transmissions in order to circumvent the system breakdown 
due to the large amount transmission. 

* Compatibility 

It is necessary not to require a considerable change 
to the implementation of the existing mail system. 
30 * Handling 

It is necessary not to require a considerable change 
to the handling of the existing mail system. 

The MTA (message Transfer Agent) such as sendmail and 
qmail detects the forgery of the envelope information and 
35 the header information and refuses the delivery. The MTA 
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also refuses mail receiving from a mail server which is a 
source of the SPAM by referring to the so called black list 
such as MAPS RBL. The MTA also detects the transmission 
using someone else's real email address and refuses the 
5 delivery by carrying out the signature verification using 
PGP, S/M1ME, TLS, etc. The MTA also limits the message 
length by partial deletion of the message text. 

One of the causes of the SPAM and the harassment is 
the real email address, and the real email address is 
10 associated with the following problems. 

* User's identity can be guessed from real email 
address : 

The real email address contains an information useful 
in guessing the identity so that it can be used in 
15 selecting the harassment target. For example, the place of 
employment can be identified from the real domain. Also, 
the name and the sex can be guessed from the user name. 

* Real email address can be guessed from user's 
identity: 

20 The real email address has a universal format of [user 

name ]@ [domain name] so that the real email address can be 
guessed if the user's identity is known, without an 
explicit knowledge of the real email address itself. For 
example, if the user's real name is known, the candidates 

25 for the user name can be enumerated. Also, if the user's 
affiliation is known, the candidates for the domain name 
can be enumerated. Even in the case where the user name is 
given by a character string which is totally unrelated to 
the real name, if the naming rule for the user name is 

30 known, the user name can be guessed by trial and error 
transmissions . 

* Real email address is transf errable : 

The real email address can be transferred from one 
person to another, so that mails can be transmitted even if 
35 the real email address is not taught by the holder himself. 
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The transfer of real email address through mails includes 
the following cases. By specifying the other's real email 
address in the cc: line of the mail, that real email 
address can be transferred to all the recipients specified 
5 in the To: line of the mail. Also, by forwarding the mail 
that contains the real email address of the recipient 
specified in the To; line in the message text to a third 
person, that real email address can be transferred to the 
third person. 
10 * Real email address is hard to cancel: 

It is difficult to cancel the real email address 
because if the real email address is cancelled it becomes 
□ impossible to read not only the SPAM and the harassment 

jjf mails but also the important mails as well. 

%j 15 Cypherpunk remailers and Mixmaster remailers which are 

J collectively known as Anonymous remailers use a scheme for 

H delivering mails after encrypting the real email address 

and the real domain of the sender. This scheme is called 
Q the reply block. The encryption and decryption of the reply 

^ 20 block uses a public key and a secret key of the Anonymous 

f|i remailer so that it is difficult to identify the real email 

%8 address and the real domain of the sender for any users 

other than the sender. 

The Anonymous remailers also make it difficult to 
25 transfer the real email address because it is difficult to 
identify the real email address. However, the reply block 
is transf errable, so that reply mails can be returned to 
the sender from users other than the recipient. 

AS-Node and nym.alias.net which are collectively known 
30 as Pseudonymous servers use mail transmission and reception 
using a pseudonym account uniquely corresponding to the 
real email address of the user. The pseudonym account can 
be arbitrarily created at the user side so that the user 
can have a pseudonym account from which the real email 
35 address is hard to guess. In addition, by the use of the 
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reply block, it is also possible to conceal the real email 
address and the real domain of the user to the Pseudonymous 
server. By combining these means, it can be made difficult 
to identify the real email address and the real domain of 
5 the sender for any users other than the sender. Also, the 
pseudonym account is cancellable so that there is no need 
to cancel the real email address. 

The Pseudonymous servers also make it difficult to 
transfer the real email address because it is difficult to 

10 identify the real email address. However, the pseudonym 
account is transf errable so that reply mails can be 
returned to the sender from users other than the recipient. 

In addition, in order to protect a recipient from the 
SPAM and the harrassment, it is also necessary to reject a 

15 connection request from a sender who are exercising such 
action. For this reason, it is necessary for the 
communication system to be capable of uniquely identifying 
the identity of the sender. 

In view of these factors, the communication system is 

20 required to be capable of uniquely identifying the identity 
of the user while concealing the real email address of the 
user (that is while guaranteeing the anonymity of the 
user), but in the conventional communication system, it has 
been difficult to meet both of these requirements 

25 simultaneously. 

In order to identify the identity of the user in the 
mail system, the real email address of that user is 
necessary. On the other hand, the Anonymous remailers 
deliver a mail after either encrypting or deleting the real 

30 email address of the sender in order to guarantee the 

anonymity of the sender. In order to identify the identity 
of the sender under this condition, it is necessary to 
trace the delivery route of the mail using the traffic 
analysis. However, the Anonymous remailers may delay the 

35 mail delivery or interchange the delivery orders of mails. 
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Also, The Mixmaster remailers deliver the mail by dividing 
it into plural blocks. For this reason, it is difficult to 
trace the delivery route by the traffic analysis, and 
therefore the identification of the identity of the sender 
5 is also difficult. 

The Pseudonymous servers also utilize the Anonymous 
remailers for the mail delivery, so that it is possible to 
guarantee the anonymity of the sender but it is also 
difficult to uniquely identify the identity of the sender. 

10 On the other hand, the German Digital Signature Law 

allows entry of a pseudonym instead of a real name into a 
digital certificate for generating the digital signature to 
be used in communication services. The digital certificate 
is uniquely assigned to the user so that the identity of 

15 the user can be uniquely identified even if the pseudonym 
is entered. Also, the right for naming the pseudonym is 
given to the user side so that it is possible to enter the 
pseudonym from which it is difficult to guess the real 
name . 

20 

SUMMARY OF THE INVENTION 

It is therefore an object of the present invention to 
25 provide an email access control scheme in a communication 
network which is capable of resolving the above described 
problems of the real email address which is one of the 
causes of the SPAM and the harassment. 

It is another object of the present invention to 
30 provide an email access control scheme in a communication 
network which is capable of enabling a unique 
identification of the identity of the user while concealing 
the user identification. 

In order to resolve the problems associated with the 
35 transfer and the cancellation of the real email address, 
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the present invention employs the email access control 
scheme using a personalized access ticket (PAT) . In order 
to resolve the problem associated with the transfer of the 
real email address, the destination is specified by the PAT 
5 which contains both the real email address of the sender 
and a real email address of the recipient. Also, in order 
to resolve the problem associated with the cancellation of 
the real email address, a validity period is set in the PAT 
by a Trusted Third Party. Then, the mail delivery from the 

10 sender who presented the PAT with the expired validity 
period will be refused. Also, instead of cancelling: the 
real email address, the PAT is registered at a secure 
storage device managed by a secure communication service. 
In other words, the present invention controls 

15 accesses in units in which the real email address of the 
sender and the real email address of the recipient is 
paired. For this reason, even when the real email address 
is transferred, it is possible to avoid receiving mails 
from users to which the real email address has been 

20 transferred as long as the PAT is not acquired by these 
users , 

Also, in the present invention, it is possible to 
refuse receiving mails without cancelling the real email 
address because the mail delivery from the sender who 
25 presented the PAT with the expired validity period or the 
PAT that is registered in a database by the recipient will 
be refused. 

Also, in the present invention, the mail receiving can 
be resumed without re-acquiring the real email address 
30 because the mail receiving can be resumed by deleting the 
PAT from the above described storage device. 

Also, in the present invention, the time consumption 
and economical loads required for the mail receiving or 
downloading at the user side can be reduced because the 
35 transmission of mails are refused at the server side. 
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In addition, the present invention employs the email 
access control scheme using 1 an official identification 
(OID) and an anonymous identification (AID) in order to 
make it possible to identify the identity of the user while 
5 guaranteeing the anonymity of the user. 

Namely, in the present invention, a certificate in 
which the personal information is signed by a secret key of 
the Trusted Third Party is assigned to each user in order 
to uniquely identify each user. This certificate will be 

10 referred to as OID. Also, a certificate which contains 

fragments of the OID information is assigned to each user 
as a user identifier on a communication network in order to 
make it possible to identify the identity while 
guaranteeing the anonymity of the user. This certificate 

15 will be referred to as AID. 

Also, in the present invention, the OID is 
reconstructed by judging the identity of a plurality of 
AIDs in order to identify the identity of the user. Also, 
the AID is contained in the PAT and the PAT is 

20 authenticated at a secure communication service (SCS) in 
order to resolve the problems associated with the transfer 
and the cancellation of the AID. 

Also, in the present invention, the AID is managed in 
a directory which is accessible for search by unspecified 

25 many and which outputs the PAT containing the AID as a 
destination, in order to meet the user side demand for 
being able to admit accesses from unspecified many without 
revealing the own identity. 

In this way, in the present invention, the identity of 

30 the user can be concealed in the mail transmission and 
reception because the AID only contains fragments of the 
OID. Also, the identity of the user can be concealed from 
unspecified many even when the AID is registered at the 
directory service which is accessible from unspecified 

35 many . 
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Also, in the present invention, the identity of the 
user can be identified probabilistically by reconstructing 
the OID by judging: the identity of a plurality of AIDs. For 
this reason, it is possible to provide a measure against 
5 the SPAM and the harassment without revealing the identity. 
Also, in the present invention, it is possible to 
admit accesses from unspecified many without revealing the 
identity, by managing the AID rather than the real email 
address at the directory and outputting the PAT containing 

10 the AID as a destination at the directory. 

More specifically, according to one aspect of the 
present invention there is provided a method of email 
access control, comprising the steps of: receiving a 
personalized access ticket containing a sender's 

15 identification and a recipient's identification in 

correspondence, which is presented by a sender who wishes 
to send an email to a recipient so as to specify the 
recipient as an intended destination of the email, at a 
secure communication service for connecting communications 

20 between the sender and the receiver; and controlling 

accesses between the sender and the recipient by verifying 
an access right of the sender with respect to the recipient 
according to the personalized access ticket at the secure 
communication service . 

25 Also, in this aspect of the present invention, at the 

controlling step the secure communication service 
authenticates the personalized access ticket presented by 
the sender, and refuses a delivery of the email when the 
personalized access ticket presented by the sender has been 

30 altered. 

Also, in this aspect of the present invention, the 
personalized access ticket is signed by a secret key of a 
secure processing device which issued the personalized 
access ticket, and at the controlling step the secure 
35 communication service authenticates the personalized access 


-9- 


ticket by verifying a signature of the secure processing 
device in the personalized access ticket using a public key 
of the secure processing device ♦ 

Also, in this aspect of the present invention, at the 
5 receiving step the secure communication service also 
receives the sender's identification presented by the 
sender along with the personalized access ticket, and at 
the controlling step the secure communication service 
checks whether the sender's identification presented by the 

10 sender is contained in the personalized access ticket 
presented by the sender, and refuses a delivery of the 
email when the sender's identification presented by the 
sender is not contained in the personalized access ticket 
presented by the sender. 

15 Also, in this aspect of the present invention, the 

personalized access ticket also contains a validity period 
indicating a period for which the personalized access 
ticket is valid, and at the controlling step the secure 
communication service checks the validity period contained 

20 in the personalized access ticket presented by the sender 
and refuses a delivery of the email when the personalized 
access ticket presented by the sender contains the validity 
period that has already been expired. 

Also, in this aspect of the present invention, the 

25 validity period of the personalized access ticket is set by 
a trusted third party* 

Also, in this aspect of the present invention, the 
method can further comprise the step of: issuing the 
personalized access ticket to the sender at a directory 

30 service for managing an identification of each registrant 
and a disclosed information of each registrant which has a 
lower secrecy than a personal information, in a state which 
is accessible for search by unspecified many, in response 
to search conditions specified by the sender, by using an 

35 identification of a registrant whose disclosed information 


-10- 


matches the search conditions as the recipient's 
identification and the sender's identification specified by 
the sender along with the search conditions. 

Also, in this aspect of the present invention, the 
5 method can further comprise the step of: registering in 
advance the personalized access ticket containing an 
identification of a specific user from which a delivery of 
emails to a specific registrant is to be refused as the 
sender's identification and an identification of the 
10 specific registrant as the recipient's identification, at 
the secure communication service; wherein the controlling 
step the secure communication service refuses a delivery of 
□ the email from the sender when the personalized access 

^ ticket presented by the sender is registered therein in 

SI 15 advance at the registering step* 

2 Also, in this aspect of the present invention, the 

U method can further comprise the step of: deleting the 

^ personalized access ticket registered at the secure 

□ communication service upon request from the specific 

20 registrant who registered the personalized access ticket at 
n the registering step. 

™ Also, in this aspect of the present invention, the 

personalized access ticket also contains a transfer control 
flag indicating whether or not the sender should be 

25 authenticated by the secure communication service, and at 
the controlling step, when the transfer control flag 
contained in the personalized access ticket indicates that 
the sender should be authenticated, the secure 
communication service authenticates the sender's 

30 identification presented by the sender and refuses a 
delivery of the email when an authentication of the 
sender's identification fails. 

Also, in this aspect of the present invention, the 
authentication of the sender's identification is realized 

35 by a challenge/response procedure between the sender and 
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the secure communication service. 

Also, in this aspect of the present invention, the 
transfer control flag of the personalized access ticket is 
set by a trusted third party. 
5 Also, in this aspect of the present invention, the 

sender's identification and the recipients identification 
in the personalized access ticket can be given by real 
email addresses of the sender and the recipient. 

Also, in this aspect of the present invention, the 

10 sender's identification and the recipient's identification 
in the personalized access ticket can be given by anonymous 
identifications of the sender and the recipient, where an 
anonymous identification of each user contains at least one 
fragment of an official identification of each user by 

15 which each user is uniquely identifiable by a certification 
authority. 

Also, in this aspect of the present invention, the 
anonymous identification of each user is an information 
containing the at least one fragment of the official 

20 identification of each user which is signed by the 
certification authority using a secret key of the 
certification authority. 

Also, in this aspect of the present invention, the 
official identification of each user is a character string 

25 uniquely assigned to each user by the certification 

authority and a public key of each user which are signed by 
a secret key of the certification authority. 

Also, in this aspect of the present invention, the 
method can further comprise the step of: probabilistically 

30 identifying an identity of the sender by reconstructing the 
official identification of the sender by judging identity 
of a plurality of anonymous identifications of the sender 
contained in a plurality of personalized access tickets 
used by the sender. 

35 Also, in this aspect of the present invention, an 
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anonymous identification of each user that contains at 
least one fragment of an official identification of each 
user by which each user is uniquely identifiable by a 
certification authority and a link information of each 
5 anonymous identification by which each anonymous 

identification can be uniquely identified can be defined, 
and the sender's identification and the recipient's 
identification in the personalized access ticket can be 
given by a link information of the anonymous identification 
10 of the sender and a link information of the anonymous 
identification of the recipient. 

Also, in this aspect of the present invention, the 
link information of each anonymous identification is an 
^ identifier uniquely assigned to each anonymous 

15 identification by the certification authority. 

Also, in this aspect of the present invention, the 
method can further comprise the step of: probabilistically 
identifying* an identity of the sender by reconstructing the 
official identification of the sender by judging identity 
20 of a plurality of anonymous identifications of the sender 
corresponding to the link information contained in a 
plurality of personalized access tickets used by the 
sender . 

Also, in this aspect of the present invention, the 
25 personalized access ticket can contain a single sender's 
identification and a single recipient's identification in 
1-to-l correspondence * 

Also, in this aspect of the present invention, the 
personalized access ticket can contain a single sender's 
30 identification and a plurality of recipient's 

identifications in 1-to-N correspondence, where N is an 
integer greater than 1. 

Also, in this aspect of the present invention, one 
identification among the single sender's identification and 
35 the plurality of recipient's identifications is a holder 
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identification for identifying a holder of the personalized 
access ticket while other identifications among the single 
sender's identification and the plurality of recipient's 
identifications are member identifications for identifying 
5 members of a group to which the holder belongs. 

Also, in this aspect of the present invention, the 
method can further comprise the step of: issuing an 
identification of each user and an enabler of the 
identification of each user indicating a right to change 

10 the personalized access ticket containing the 

identification of each user as the holder identification, 
to each user at a certification authority, such that 
prescribed processing on the personalized access ticket can 
be carried out at a secure processing device only by a user 

15 who presented both the holder identification contained in 
the personalized access ticket and the enabler 
corresponding to the holder identification to the secure 
processing device. 

Also, in this aspect of the present invention, the 

20 certification authority issues the enabler of the 

identification of each user as an information indicating 
that it is the enabler and the identification of each user 
itself which are signed by a secret key of the 
certification authority. 

25 Also, in this aspect of the present invention, the 

prescribed processing includes a generation of a new 
personalized access ticket, a merging of a plurality of 
personalized access tickets, a splitting of one 
personalized access ticket into a plurality of personalized 

30 access tickets, a changing of the holder of the 

personalized access ticket, changing of a validity period 
of the personalized access ticket, and a changing of a 
transfer control flag of the personalized access ticket. 
Also, in this aspect of the present invention, a 

35 special identification and a special enabler corresponding 
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to the special identification which are known to all users 
can be defined such that the generation of a new 
personalized access ticket and the changing of the holder 
of the personalized access ticket can be carried out by the 
5 holder of the personalized access ticket by using the 
special identification and the special enabler without 
using an enabler of a member identification. 

Also, in this aspect of the present invention, the 
special identification is defined to be capable of being 

10 used only as the holder identification of the personalized 
access ticket. 

Also, in this aspect of the present invention, a 
special identification which is known to all users can be 
defined such that a read only attribute can be set to the 

15 personalized access ticket by using the special 
identification . 

Also, in this aspect of the present invention, at the 
controlling step, when the access right of the sender with 
respect to the recipient is verified according to the 

20 personalized access ticket, the secure communication 

service takes out the recipient's identification from the 
personalized access ticket by using the sender's 
identification presented by the sender, converts the mail 
by using a taken out recipient's identification into a 

25 format that can be interpreted by a mail transfer function 
for actually carrying out a mail delivery processing, and 
gives the mail after conversion to the mail transfer 
function by attaching the personalized access ticket. 

According to another aspect of the present invention 

30 there is provided a method of email access control, 
comprising the steps of: defining an official 
identification of each user by which each user is uniquely 
identifiable by a certification authority, and an anonymous 
identification of each user containing at least one 

35 fragment of the official identification; and identifying 
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each user by the anonymous identification of each user in 
communications for emails on a communication network* 

Also, in this aspect of the present invention, the 
anonymous identification of each user is an information 
5 containing the at least one fragment of the official 
identification of each user which is signed by the 
certification authority using a secret key of the 
certification authority. 

Also, in this aspect of the present invention, the 

10 official identification of each user is a character string 
uniquely assigned to each user by the certification 
authority and a public key of each user which are signed by 
a secret key of the certification authority. 

Also, in this aspect of the present invention, the 

15 method can further comprise the steps of: receiving a 

personalized access ticket containing a sender's anonymous 
identification and a recipient's anonymous identification 
in correspondence, which is presented by a sender who 
wishes to send an email to a recipient so as to specify the 

20 recipient as an intended destination of the email, at a 

secure communication service for connecting communications 
between the sender and the receiver; and controlling 
accesses between the sender and the recipient by verifying 
an access right of the sender with respect to the recipient 

25 according to the personalized access ticket at the secure 
communication service. 

Also, in this aspect of the present invention, the 
method can further comprises the step of: probabilistically 
identifying an identity of the sender at the secure 

30 communication service by reconstructing the official 

identification of the sender while judging identity of a 
plurality of anonymous identifications of the sender 
contained in a plurality of personalized access tickets 
used by the sender. 

35 Also, in this aspect of the present invention, the 


-16- 


defining step can also define a link information of each 
anonymous identification by which each anonymous 
identification can be uniquely identified, and each 
anonymous identification can also contain the link 
5 information of each anonymous identification. 

Also, in this aspect of the present invention, the 
link information of each anonymous identification is an 
identifier uniquely assigned to each anonymous 
identification by the certification authority. 

10 Also, in this aspect of the present invention, the 

method can further comprises the steps of; receiving a 
personalized access ticket containing a link information of 
a sender's anonymous identification and a link information 
of a recipients anonymous identification in 

15 correspondence, which is presented by a sender who wishes 
to send an email to a recipient so as to specify the 
recipient as an intended destination of the email, at a 
secure communication service for connecting communications 
between the sender and the receiver; and controlling 

20 accesses between the sender and the recipient by verifying 
an access right of the sender with respect to the recipient 
according to the personalized access ticket at the secure 
communication service . 

Also, in this aspect of the present invention, the 

25 method can further comprises the step of: probabilistically 
identifying an identity of the sender by reconstructing the 
official identification of the sender While judging 
identity of a plurality of anonymous identifications of the 
sender corresponding to the link information contained in a 

30 plurality of personalized access tickets used by the 
sender . 

According to another aspect of the present invention 
there is provided a communication system realizing email 
access control, comprising: a communication network to 
35 which a plurality of user terminals are connected; and a 
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secure communication service device for connecting 
communications between the sender and the receiver on the 
communication network, by receiving a personalized access 
ticket containing a sender's identification and a 
5 recipient's identification in correspondence, which is 
presented by a sender who wishes to send an email to a 
recipient so as to specify the recipient as an intended 
destination of the email, and controlling accesses between 
the sender and the recipient by verifying an access right 

10 of the sender with respect to the recipient according to 
the personalized access ticket. 

Also, in this aspect of the present invention, the 
secure communication service device authenticates the 
personalized access ticket presented by the sender, and 

15 refuses a delivery of the email when the personalized 
access ticket presented by the sender has been altered. 

Also, in this aspect of the present invention, the 
system further comprises: a secure processing device for 
issuing the personalized access ticket which is signed by a 

20 secret key of the secure processing device; wherein the 
secure communication service device authenticates the 
personalized access ticket by verifying a signature of the 
secure processing device in the personalized access ticket 
using a public key of the secure processing device. 

25 Also, in this aspect of the present invention, the 

secure communication service device also receives the 
sender's identification presented by the sender along with 
the personalized access ticket, checks whether the sender's 
identification presented by the sender is contained in the 

30 personalized access ticket presented by the sender, and 
refuses a delivery of the email when the sender's 
identification presented by the sender is not contained in 
the personalized access ticket presented by the sender. 
Also, in this aspect of the present invention, the 

35 personalized access ticket also contains a validity period 
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indicating a period for which the personalized access 
ticket is valid, and the secure communication service 
device checks the validity period contained in the 
personalized access ticket presented by the sender and 
5 refuses a delivery of the email when the personalized 

access ticket presented by the sender contains the validity 
period that has already been expired. 

Also, in this aspect of the present invention, the 
system further comprises: a trusted third party for setting 

10 the validity period of the personalized access ticket. 

Also, in this aspect of the present invention, the 
system can further comprise: a directory service device for 
managing an identification of each registrant and and a 
disclosed information of each registrant which has a lower 

15 secrecy than a personal information, in a state which is 
accessible for search by unspecified many, and issuing the 
personalized access ticket to the sender in response to 
search conditions specified by the sender, by using an 
identification of a registrant whose disclosed information 

20 matches the search conditions as the recipient's 

identification and the sender's identification specified by 
the sender along with the search conditions. 

Also, in this aspect of the present invention, the 
secure communication service device can register in advance 

25 the personalized access ticket containing an identification 
of a specific user from which a delivery of emails to a 
specific registrant is to be refused as the sender's 
identification and an identification of the specific 
registrant as the recipient's identification, and refuse a 

30 delivery of the email from the sender when the personalized 
access ticket presented by the sender is registered therein 
in advance. 

Also, in this aspect of the present invention, the 
secure communication service device can delete the 
35 personalized access ticket registered therein upon request 
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from the specific registrant who registered the 
personalized access ticket. 

Also, in this aspect of the present invention, the 
personalized access ticket also contains a transfer control 
5 flag indicating whether or not the sender should be 

authenticated by the secure communication service, and when 
the transfer control flag contained in the personalized 
access ticket indicates that the sender should be 
authenticated, the secure communication service device 

10 authenticates the sender's identification presented by the 
sender and refuses a delivery of the email when an 
authentication of the sender's identification fails. 

Also, in this aspect of the present invention, the 
authentication of the sender's identification is realized 

15 by a challenge/response procedure between the sender and 
the secure communication service device. 

Also, in this aspect of the present invention, the 
system further comprises a trusted third party for setting 
the transfer control flag of the personalized access 

20 ticket. 

Also, in this aspect of the present invention, the 
sender 's identification and the recipient's identification 
in the personalized access ticket can be given by real 
email addresses of the sender and the recipient. 

25 Also, in this aspect of the present invention, the 

system can further comprise: a certification authority 
device for issuing an anonymous identification of each user 
which contains at least one fragment of an official 
identification of each user by which each user is uniquely 

30 identifiable by the certification authority device; wherein 
the sender's identification and the recipient's 
identification in the personalized access ticket can be 
given by anonymous identifications of the sender and the 
recipient . 

35 Also, in this aspect of the present invention, the 


-20- 


anonymous identification of each user is an information 
containing the at least one fragment of the official 
identification of each user which is signed by the 
certification authority device using a secret key of the 
5 certification authority device. 

Also, in this aspect of the present invention, the 
official identification of each user is a character string 
uniquely assigned to each user by the certification 
authority device and a public key of each user which are 
10 signed by a secret key of the certification authority 
device . 

Also, in this aspect of the present invention, the 
secure communication service device can probabilistically 
identify an identity of the sender by reconstructing the 

15 official identification of the sender while judging 

identity of a plurality of anonymous identifications of the 
sender contained in a plurality of personalized access 
tickets used by the sender. 

Also, in this aspect of the present invention, the 

20 system can further comprise: a certification authority device 
for issuing an anonymous identification of each user which 
contains at least one fragment of an official 
identification of each user by which each user is uniquely 
identifiable by the certification authority device and a 

25 link information of each anonymous identification by which 
each anonymous identification can be uniquely identified; 
wherein the sender's identification and the recipients 
identification in the personalized access ticket can be 
given by a link information of the anonymous identification 

30 of the sender and a link information of the anonymous 
identification of the recipient. 

Also, in this aspect of the present invention, the 
link information of each anonymous identification is an 
identifier uniquely assigned to each anonymous 

35 identification by the certification authority device. 
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Also, in this aspect of the present invention, the 
secure communication service device can probabilistically 
identify an identity of the sender by reconstructing the 
official identification of the sender while judging 
5 identity of a plurality of anonymous identifications of the 
sender corresponding to the link information contained in a 
plurality of personalized access tickets used by the 
sender , 

Also, in this aspect of the present invention, the 

10 personalized access ticket can contain a single sender's 
identification and a single recipients identification in 
1-to-l correspondence . 

Also, in this aspect of the present invention, the 
personalized access ticket can contain a single sender's 

15 identification and a plurality of recipient's 

identifications in 1-to-N correspondence, where N is an 
integer greater than 1. 

Also, in this aspect of the present invention, one 
identification among the single sender's identification and 

20 the plurality of recipient's identifications is a holder 

identification for identifying a holder of the personalized 
access ticket while other identifications among the single 
sender's identification and the plurality of recipient's 
identifications are member identifications for identifying 

25 members of a group to which the holder belongs. 

Also, in this aspect of the present invention, the 
system can further comprises: a certification authority 
device for issuing to each user an identification of each 
user and an enabler of the identification of each user 

30 indicating a right to change the personalized access ticket 
containing the identification of each user as the holder 
identification; and a secure processing device at which 
prescribed processing on the personalized access ticket can 
be carried out only by a user who presented both the holder 

35 identification contained in the personalized access ticket 


-22- 


and the enabler corresponding to the holder identification 
to the secure processing device. 

Also, in this aspect of the present invention, the 
certification authority device issues the enabler of the 
5 identification of each user as an information indicating 
that it is the enabler and the identification of each user 
itself which are signed by a secret key of the 
certification authority device. 

Also, in this aspect of the present invention, the 

10 prescribed processing includes a generation of a new 

personalized access ticket, a merging of a plurality of 
personalized access tickets, a splitting of one 
personalized access ticket into a plurality of personalized 
access tickets, a changing of the holder of the 

15 personalized access ticket, changing of a validity period 
of the personalized access ticket, and a changing of a 
transfer control flag of the personalized access ticket. 

Also, in this aspect of the present invention, a 
special identification and a special enabler corresponding 

20 to the special identification which are known to all users 
can be defined such that the generation of a new 
personalized access ticket and the changing of the holder 
of the personalized access ticket can be carried out by the 
holder of the personalized access ticket by using the 

25 special identification and the special enabler without 
using an enabler of a member identification. 

Also, in this aspect of the present invention, the 
special identification is defined to be capable of being 
used only as the holder identification of the personalized 

30 access ticket. 

Also, in this aspect of the present invention, a 
special identification which is known to all users can be 
defined such that a read only attribute can be set to the 
personalized access ticket by using the special 

35 identification . 
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Also, in this aspect of the present invention, when 
the access right of the sender with respect to the 
recipient is verified according to the personalized access 
ticket, the secure communication service device takes out 
5 the recipient's identification from the personalized access 
ticket by using the sender's identification presented by 
the sender, converts the mail by using a taken out 
recipient's identification into a format that can be 
interpreted by a mail transfer function for actually 

10 carrying out a mail delivery processing, and gives the mail 
after conversion to the mail transfer function by attaching 
the personalized access ticket. 

According to another aspect of the present invention 
there is provided a communication system realizing email 

15 access control, comprising: a certification authority 

device for defining an official identification of each user 
by which each user is uniquely identifiable by the 
certification authority device, and an anonymous 
identification of each user which contains at least one 

20 fragment of the official identification; and a 

communication network on which each user is identified by 
the anonymous identification of each user in communications 
for emails on the communication network. 

Also, in this aspect of the present invention, the 

25 anonymous identification of each user is an information 
containing the at least one fragment of the official 
identification of each user which is signed by the 
certification authority device using a secret key of the 
certification authority device. 

30 Also, in this aspect of the present invention, the 

official identification of each user is a character string 
uniquely assigned to each user by the certification 
authority device and a public key of each user which are 
signed by a secret key of the certification authority 

35 device. 
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Also, in this aspect of the present invention, the 
system can further comprises: a secure communication 
service device for connecting communications between the 
sender and the receiver on the communication network, by 
5 receiving a personalized access ticket containing a 
sender's anonymous identification and a recipient's 
anonymous identification in correspondence, which is 
presented by a sender who wishes to send an email to a 
recipient so as to specify the recipient as an intended 

10 destination of the email, and controlling accesses between 
the sender and the recipient by verifying an access right 
of the sender with respect to the recipient according to 
the personalized access ticket. 

Also, in this aspect of the present invention, the 

15 secure communication service device can probabilistically 
identify an identity of the sender by reconstructing the 
official identification of the sender while judging 
identity of a plurality of anonymous identifications of the 
sender contained in a plurality of personalized access 

20 tickets used by the sender. 

Also, in this aspect of the present invention, the 
certification authority device can also define a link 
information of each anonymous identification by which each 
anonymous identification can be uniquely identified, and 

25 each anonymous identification can also contain the link 
information of each anonymous identification. 

Also, in this aspect of the present invention, the 
link information of each anonymous identification is an 
identifier uniquely assigned to each anonymous 

30 identification by the certification authority device. 

Also, in this aspect of the present invention, the 
system can further comprise: a secure communication service 
device for connecting communications between the sender and 
the receiver on the communication network, by receiving a 

35 personalized access ticket containing a link information of 
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a sender's anonymous identification and a link information 
of a recipient's anonymous identification in 
correspondence, which is presented by a sender who wishes 
to send an email to a recipient so as to specify the 
5 recipient as an intended destination of the email, and 
controlling: accesses between the sender and the recipient 
by verifying an access right of the sender with respect to 
the recipient according to the personalized access ticket. 
Also, in this aspect of the present invention, the 

10 secure communication service device can probabilistically 
identify an identity of the sender by reconstructing the 
official identification of the sender while judging 
identity of a plurality of link informations of anonymous 
identifications of the sender contained in a plurality of 

15 personalized access tickets used by the sender. 

According to another aspect of the present invention 
there is provided a secure communication service device for 
use in a communication system realizing email access 
control, comprising: a computer hardware; and a computer 

20 software for causing the computer hardware to connect 
communications between the sender and the receiver, by 
receiving a personalized access ticket containing a 
sender's identification and a recipient's identification in 
correspondence, which is presented by a sender who wishes 

25 to send an email to a recipient so as to specify the 
recipient as an intended destination of the email, and 
controlling accesses between the sender and the recipient 
by verifying an access right of the sender with respect to 
the recipient according to the personalized access ticket, 

30 Also, in this aspect of the present invention, the 

computer software causes the computer hardware to 
authenticate the personalized access ticket presented by 
the sender, and refuse a delivery of the email when the 
personalized access ticket presented by the sender has been 

35 altered. 
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Also, in this aspect of the present invention, the 
personalized access ticket is signed by a secret key of a 
secure processing device which issued the personalized 
access ticket, and the computer software causes the 
5 computer hardware to authenticate the personalized access 
ticket by verifying a signature of the secure processing 
device in the personalized access ticket using a public key 
of the secure processing device. 

Also, in this aspect of the present invention, the 

10 computer software causes the computer hardware to also 

receive the sender's identification presented by the sender 
along with the personalized access ticket, check whether 
the sender's identification presented by the sender is 
contained in the personalized access ticket presented by 

15 the sender, and refuse a delivery of the email when the 
sender's identification presented by the sender is not 
contained in the personalized access ticket presented by 
the sender. 

Also, in this aspect of the present invention, the 

20 personalized access ticket also contains a validity period 
indicating a period for which the personalized access 
ticket is valid, and the computer software causes the 
computer hardware to check the validity period contained in 
the personalized access ticket presented by the sender and 

25 refuse a delivery of the email when the personalized access 
ticket presented by the sender contains the validity period 
that has already been expired. 

Also, in this aspect of the present invention, the 
computer software can cause the computer hardware to 

30 register in advance the personalized access ticket 

containing an identification of a specific user from which 
a delivery of emails to a specific registrant is to be 
refused as the sender 1 s identification and an 
identification of the specific registrant as the 

35 recipient's identification, at the secure communication 
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service device, and refuse a delivery of the email from the 
sender when the personalized access ticket presented by the 
sender is registered at the secure communication service 
device in advance. 
5 Also, in this aspect of the present invention, the 

computer software can cause the computer hardware to delete 
the personalized access ticket registered at the secure 
communication service device upon request from the specific 
registrant who registered the personalized access ticket. 

10 Also, in this aspect of the present invention, the 

personalized access ticket also contains a transfer control 
flag indicating whether or not the sender should be 
authenticated by the secure communication service device, 
and when the transfer control flag contained in the 

15 personalized access ticket indicates that the sender should 
be authenticated, the computer software causes the computer 
hardware to authenticate the sender's identification 
presented by the sender and refuse a delivery of the email 
when an authentication of the sender's identification 

20 fails. 

Also, in this aspect of the present invention, the 
computer software causes the computer hardware to realize 
the authentication of the sender's identification by a 
challenge/response procedure between the sender and the 

25 secure communication service device. 

Also, in this aspect of the present invention, the 
sender's identification and the recipient's identification 
in the personalized access ticket can be given by anonymous 
identifications of the sender and the recipient, where an 

30 anonymous identification of each user contains at least one 
fragment of an official identification of each user by 
which each user is uniquely identifiable by a certification 
authority, and the computer software can also cause the 
computer hardware to probabilistically identify an identity 

35 of the sender by reconstructing the official identification 
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of the sender by judging identity of a plurality of 
anonymous identifications of the sender contained in a 
plurality of personalized access tickets used by the 
sender . 

5 Also, in this aspect of the present invention, an 

anonymous identification of each user that contains at 
least one fragment of an official identification of each 
user by which each user is uniquely identifiable by a 
certification authority and a link information of each 

10 anonymous identification by which each anonymous 

identification can be uniquely identified can be defined, 
the sender's identification and the recipient's 
identification in the personalized access ticket can be 
given by a link information of the anonymous identification 

15 of the sender and a link information of the anonymous 

identification of the recipient, and the computer software 
can also cause the computer hardware to probabilistically 
identify an identity of the sender by reconstructing the 
official identification of the sender by judging identity 

20 of a plurality of anonymous identifications of the sender 
corresponding to the link information contained in a 
plurality of personalized access tickets used by the 
sender . 

Also, in this aspect of the present invention, when 
25 the access right of the sender with respect to the 

recipient is verified according to the personalized access 
ticket, the computer software causes the computer hardware 
to take out the recipient's identification from the 
personalized access ticket by using the sender's 
30 identification presented by the sender, convert the mail by 
using a taken out recipient's identification into a format 
that can be interpreted by a mail transfer function for 
actually carrying out a mail delivery processing, and give 
the mail after conversion to the mail transfer function by 
35 attaching the personalized access ticket. 
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According to another aspect of the present invention 
there is provided a secure processing device for use in a 
communication system realizing email access control, 
comprising: a computer hardware; and a computer software 
5 for causing the computer hardware to receive a request for 
a personalized access ticket from a user, and issue a 
personalized access ticket containing a sender's 
identification and a recipient's identification in 
correspondence, which is signed by a secret key of the 
10 secure processing device. 

According to another aspect of the present invention 
there is provided a directory service device for use in a 
communication system realizing email access control, 
*i comprising: a computer hardware; and a computer software 

ffj 15 for causing the computer hardware to manage an 

identification of each registrant and a disclosed 
45 information of each registrant which has a lower secrecy 

f~ than a personal information, in a state which is accessible 

s for search by unspecified many, and issue a personalized 

H 20 access ticket containing a sender's identification and a 

ry recipient's identification in correspondence, to the sender 

^jj in response to search conditions specified by the sender, 

J§ by using an identification of a registrant whose disclosed 

information matches the search conditions as the 
25 recipient's identification and the sender's identification 
specified by the sender along with the search conditions. 

According to another aspect of the present invention 
there is provided a certification authority device for use 
in a communication system realizing email access control, 
30 comprising: a computer hardware; and a computer software 

for causing the computer hardware to issue to each user an 
official identification of each user by which each user is 
uniquely identifiable by the certification authority 
device, and an anonymous identification of each user which 
35 contains at least one fragment of the official 
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identification . 

According to another aspect of the present invention 
there is provided a certification authority device for use 
in a communication system realizing email access control, 
5 comprising: a computer hardware; and a computer software 
for causing the computer hardware to issue to each user an 
identification of each user and an enabler of the 
identification of each user indicating a right to change 
any personalized access ticket that contains the 

10 identification of each user as a holder identification, 
where the persnalized access ticket generally contains a 
sender's identification and a plurality of recipient's 
identifications in correspondence, and one of the sender's 
identification and the recipient's identifications is a 

15 holder identification. 

According to another aspect of the present invention 
there is provided a secure processing device for use in a 
communication system realizing email access control, 
comprising: a computer hardware; and a computer software 

20 for causing the computer hardware to receive from a user a 
request for prescribed processing on a personalized access 
ticket containing a sender's identification and a plurality 
of recipient's identifications in correspondence, where one 
of the sender's identification and the recipient's 

25 identifications is a holder identification, and execute the 
prescribed processing on the personalized access ticket 
when the user presented both the holder identification 
contained in the personalized access ticket and an enabler 
corresponding to the holder identification which indicates 

30 a right to change the personalized access ticket containing 
the identification of the user as the holder 
identification. 

According to another aspect of the present invention 
there is provided a computer usable medium having computer 

35 readable program code means embodied therein for causing a 
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computer to function as a secure communication service 
device for use in a communication system realizing email 
access control, the computer readable program code means 
includes: first computer readable program code means for 
5 causing said computer to receive a personalized access 
ticket containing a sender's identification and a 
recipient's identification in correspondence, which is 
presented by a sender who wishes to send an email to a 
recipient so as to specify the recipient as an intended 

10 destination of the email; and second computer readable 
program code means for causing said computer to control 
accesses between the sender and the recipient by verifying 
an access right of the sender with respect to the recipient 
according to the personalized access ticket, so as to 

15 connect communications between the sender and the receiver 
on the communication network. 

Also, in this aspect of the present invention, the 
second computer readable program code means causes said 
computer to authenticate the personalized access ticket 

20 presented by the sender, and refuse a delivery of the email 
when the personalized access ticket presented by the sender 
has been altered. 

Also, in this aspect of the present invention, the 
personalized access ticket is signed by a secret key of a 

25 secure processing device which issued the personalized 
access ticket, and the second computer readable program 
code means causes said computer to authenticate the 
personalized access ticket by verifying a signature of the 
secure processing device in the personalized access ticket 

30 using a public key of the secure processing device. 

Also, in this aspect of the present invention, the 
first computer readable program code means causes said 
computer to also receive the sender's identification 
presented by the sender along with the personalized access 

35 ticket, and the second computer readable program code means 


-32- 


causes said computer to check whether the sender's 
identification presented by the sender is contained in the 
personalized access ticket presented by the sender and 
refuse a delivery of the email when the sender's 
identification presented by the sender is not contained in 
the personalized access ticket presented by the sender. 

Also, in this aspect of the present invention, the 
personalized access ticket also contains a validity period 
indicating a period for which the personalized access 
ticket is valid, and the second computer readable program 
code means causes said computer to check the validity 
period contained in the personalized access ticket 
presented by the sender and refuse a delivery of the email 
when the personalized access ticket presented by the sender 
contains the validity period that has already been expired. 

Also, in this aspect of the present invention, the 
second computer readable program code means can cause said 
computer to register in advance the personalized access 
ticket containing an identification of a specific user from 
which a delivery of emails to a specific registrant is to 
be refused as the sender's identification and an 
identification of the specific registrant as the 
recipient's identification, at the secure communication 
service device, and refuse a delivery of the email from the 
sender when the personalized access ticket presented by the 
sender is registered at the secure communication service 
device in advance. 

Also, in this aspect of the present invention, the 
second computer readable program code means can cause said 
computer to delete the personalized access ticket 
registered at the secure communication service device upon 
request from the specific registrant who registered the 
personalized access ticket. 

Also, in this aspect of the present invention, the 
personalized access ticket also contains a transfer control 
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flag indicating whether or not the sender should be 
authenticated by the secure communication service device, 
and when the transfer control flag contained in the 
personalized access ticket indicates that the sender should 
be authenticated, the second computer readable program code 
means causes said computer to authenticate the sender's 
identification presented by the sender and refuse a 
delivery of the email when an authentication of the 
sender's identification fails. 

Also, in this aspect of the present invention, the 
second computer readable program code means causes said 
computer to realize the authentication of the sender's 
identification by a challenge/response procedure between 
the sender and the secure communication service device. 

Also, in this aspect of the present invention, the 
sender's identification and the recipient's identification 
in the personalized access ticket can be given by anonymous 
identifications of the sender and the recipient, where an 
anonymous identification of each user contains at least one 
fragment of an official identification of each user by 
which each user is uniquely identifiable by a certification 
authority, and the second computer readable program code 
means can also cause said computer to probabilistically 
identify an identity of the sender by reconstructing the 
official identification of the sender by judging identity 
of a plurality of anonymous identifications of the sender 
contained in a plurality of personalized access tickets 
used by the sender. 

Also, in this aspect of the present invention, an 
anonymous identification of each user that contains at 
least one fragment of an official identification of each 
user by which each user is uniquely identifiable by a 
certification authority and a link information of each 
anonymous identification by which each anonymous 
identification can be uniquely identified can be defined, 
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the sender's identification and the recipient's 
identification in the personalized access ticket can be 
given by a link information of the anonymous identification 
of the sender and a link information of the anonymous 
5 identification of the recipient, and the second computer 
readable program code means can also cause said computer to 
probabilistically identify an identity of the sender by 
reconstructing the official identification of the sender by 
judging identity of a plurality of anonymous 
10 identifications of the sender corresponding to the link 

information contained in a plurality of personalized access 
tickets used by the sender. 

Also, in this aspect of the present invention, when 
the access right of the sender with respect to the 
15 recipient is verified according to the personalized access 
ticket, the second computer readable program code means 
causes said computer to take out the recipient's 
identification from the personalized access ticket by using 
the sender's identification presented by the sender, 
20 convert the mail by using a taken out recipient's 

identification into a format that can be interpreted by a 
mail transfer function for actually carrying out a mail 
delivery processing, and give the mail after conversion to 
the mail transfer function by attaching the personalized 
25 access ticket. 

According to another aspect of the present invention 
there is provided a computer usable medium having computer 
readable program code means embodied therein for causing a 
computer to function as a secure processing device for use 
30 in a communication system realizing email access control, 
the computer readable program code means includes: first 
computer readable program code means for causing said 
computer to receive a request for a personalized access 
ticket from a user; and second computer readable program 
35 code means for causing said computer to issue the 
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personalized access ticket containing a sender's 
identification and a recipient's identification in 
correspondence, which is signed by a secret key of the 
secure processing: device. 
5 According to another aspect of the present invention 

there is provided a computer usable medium having computer 
readable program code means embodied therein for causing a 
computer to function as a directory service devicer for use 
in a communication system realizing email access control, 

10 the computer readable program code means includes: first 
computer readable program code means for causing said 
computer to manage an identification of each registrant and 
a disclosed information of each registrant which has a 
lower secrecy than a personal information, in a state which 

15 is accessible for search by unspecified many, and second 
computer readable program code means for causing said 
computer to issue a personalized access ticket containing a 
sender's identification and a recipient's identification in 
correspondence, to the sender in response to search 

20 conditions specified by the sender, by using an 

identification of a registrant whose disclosed information 
matches the search conditions as the recipient's 
identification and the sender's identification specified by 
the sender along with the search conditions. 

25 According to another aspect of the present invention 

there is provided a computer usable medium having computer 
readable program code means embodied therein for causing a 
computer to function as a certification authority device 
for use in a communication system realizing email access 

30 control, the computer readable program code means includes: 
first computer readable program code means for causing said 
computer to issue to each user an official identification 
of each user by which each user is uniquely identifiable by 
the certification authority device; and second computer 

35 readable program code means for causing said computer to 
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issue to each user an anonymous identification of each user 
which contains at least one fragment of the official 
identification . 

According to another aspect of the present invention 
5 there is provided a computer usable medium having computer 
readable program code means embodied therein for causing a 
computer to function as a certification authority device 
for use in a communication system realizing email access 
control, the computer readable program code means includes: 

10 first computer readable program code means for causing said 
computer to issue to each user an identification of each 
user; and second computer readable program code means for 
causing said computer to issue to each user an enabler of 
the identification of each user indicating a right to 

15 change any personalized access ticket that contains the 
identification of each user as a holder identification, 
where the persnalized access ticket generally contains a 
sender's identification and a plurality of recipient's 
identifications in correspondence, and one of the sender's 

20 identification and the recipient's identifications is a 
holder identification. 

According to another aspect of the present invention 
there is provided a computer usable medium having computer 
readable program code means embodied therein for causing a 

25 computer to function as a secure processing device for use 
in a communication system realizing email access control, 
the computer readable program code means includes: first 
computer readable program code means for causing said 
computer to receive from a user a request for prescribed 

30 processing on a personalized access ticket containing a 
sender's identification and a plurality of recipient's 
identifications in correspondence, where one of the 
sender's identification and the recipient's identifications 
is a holder identification; and second computer readable 

35 program code means for causing said computer to execute the 
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prescribed processing on the personalized access ticket 
when the user presented both the holder identification 
contained in the personalized access ticket and an enabler 
corresponding to the holder identification which indicates 
5 a right to change the personalized access ticket containing 
the identification of the user as the holder 
identification . 

Other features and advantages of the present invention 
will become apparent from the following description taken 
10 in conjunction with the accompanying drawings. 

BRIEF DESCRIPTION OF THE DRAWINGS 

15 Fig. 1 is a diagram showing an overall configuration 

of a communication system according to the first embodiment 
of the present invention. 

Fig. 2 is a diagram showing exemplary data structures 
of an official identification, an anonymous identification, 

20 and a 1-to-l personalized access ticket according to the 
first embodiment of the present invention. 

Fig. 3 is a flow chart for an anonymous identification 
generation processing at a certification authority 
according to the first embodiment of the present invention. 

25 Fig. 4 is a flow chart for a personalized access 

ticket generation processing at an anonymous directory 
service according to the first embodiment of the present 
invention. 

Fig. 5 is a flow chart for a mail access control 
30 processing at a secure communication service according to 
the first embodiment of the present invention. 

Fig. 6 is a flow chart for an anonymous identification 
identity judgement processing at a secure communication 
service according to the first embodiment of the present 
35 invention . 
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Fig. 7 is a diagram showing exemplary data structures 
of data used in the anonymous identification identity 
judgement processing of Fig. 6. 

Fig. 8 is a diagram showing exemplary data structures 
5 of an official identification, an anonymous identification, 
and a 1-to-N personalized access ticket according to the 
second embodiment of the present invention. 

Fig. 9 is a diagram showing exemplary data structures 
of an anonymous identification and an enabler according to 
10 the second embodiment of the present invention. 

Fig. 10 is a diagram showing a definition of a 
processing rule (MakePAT) used in the second embodiment of 
the present invention. 

Fig. 11 is a diagram showing a definition of a 
15 processing rule (MergePAT) used in the second embodiment of 
the present invention. 

Fig. 12 is a diagram showing a definition of a 
processing rule (SplitPAT) used in the second embodiment of 
the present invention. 
20 Fig. 13 is a diagram showing a definition of a 

processing rule (TransPAT) used in the second embodiment of 
the present invention. 

Fig. 14 is a first exemplary system configuration that 
can be used in the second embodiment of the present 
25 invention. 

Fig. 15 is a second exemplary system configuration 
that can be used in the second embodiment of the present 
invention . 

Fig. 16 is a third exemplary system configuration that 
30 can be used in the second embodiment of the present 
invention . 

Fig. 17 is a fourth exemplary system configuration 
that can be used in the second embodiment of the present 
invention. 

35 Fig. 18 is a fifth exemplary system configuration that 
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can be used in the second embodiment of the present 
invention . 

Fig', 19 is a sixth exemplary system configuration that 
can be used in the second embodiment of the present 
5 invention. 

Fig:. 20 is a seventh exemplary system configuration 
that can be used in the second embodiment of the present 
invention. 

Fig:. 21 is a flow chart showing an overall processing 
10 flow of MakePAT, MergePAT or TransPAT processing according 
to the second embodiment of the present invention. 

Fig. 22 is a flow chart showing an overall processing 
flow of SplitPAT processing according to the second 
embodiment of the present invention. 
15 Fig. 23 is a flow chart for an anonymous 

identification list generation processing (for MakePAT, 
MergePAT, SplitPAT and TransPAT) according to the second 
embodiment of the present invention. 

Fig. 24 is an enabler authenticity verification 
20 processing (for MakePAT, MergePAT, SplitPAT and TransPAT) 
according to the second embodiment of the present 
invention. 

Fig. 25 is a diagram shpwing an exemplary data 
structure of Null-AID used in the third embodiment of the 
25 present invention. 

Fig. 26 is a diagram showing an exemplary data 
structure of Enabler of Null-AID used in the third 
embodiment of the present invention. 

Fig. 27 is a diagram showing a first exemplary 
30 application of the third embodiment of the present 
invention . 

Fig. 28 is a diagram showing a second exemplary 
application of the third embodiment of the present 
invention . 

35 Fig. 29 is a diagram showing an exemplary data 
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structure of God-AID used in the fourth embodiment of the 
present invention . 

Fig. 30 is a diagram showing a first exemplary 
application of the fourth embodiment of the present 
5 invention . 

Fig. 31 is a diagram showing a second exemplary 
application of the fourth embodiment of the present 
invention. 

Fig. 32 is a flow chart for a member anonymous 
10 identification checking processing according to the fifth 

embodiment of the present invention. 

Fig. 33 is a diagram showing an overall configuration 

of a communication system according to the sixth embodiment 

of the present invention. 
15 Fig. 34 is a diagram showing exemplary data structures 

of an official identification, a link information attached 

anonymous identification, and a link specifying 1-to-l 

personalized access ticket according to the sixth 

embodiment of the present invention. 
20 Fig. 35 is a flow chart for a link information 

attached anonymous identification generation processing at 

a certification authority according to the sixth embodiment 

of the present invention. 

Fig. 36 is a flow chart for a link specifying 1-to-l 
25 personalized access ticket generation processing at an 

anonymous directory service according to the sixth 

embodiment of the present invention. 

Fig. 37 is a flow chart , for a mail access control 

processing at a secure communication service according to 
30 the sixth embodiment of the present invention. 

Fig. 38 is a flow chart for an anonymous 

identification identity judgement processing at a secure 

communication service according to the sixth embodiment of 

the present invention. 
35 Fig. 39 is a diagram showing exemplary data structures 
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of data used in the anonymous identification identity 
judgement processing of Fig. 38. 

Fig. 40 is a diagram showing exemplary data structures 
of an official identification, a link information attached 
5 anonymous identification, and a link specifying 1-to-N 
personalized access ticket according to the seventh 
embodiment of the present invention. 

Fig. 41 is a diagram showing exemplary data structures 
of a link information attached anonymous identification and 
10 an enabler according to the seventh embodiment of the 
present invention. 

Fig. 42 is a first exemplary system configuration that 
can be used in the seventh embodiment of the present 
invention . 

15 Fig. 43 is a second exemplary system configuration 

that can be used in the seventh embodiment of the present 
invention . 

Fig. 44 is a third exemplary system configuration that 
can be used in the seventh embodiment of the present 
20 invention. 

Fig. 45 is a fourth exemplary system configuration 
that can be used in the seventh embodiment of the present 
invention . 

Fig. 46 is a fifth exemplary system configuration that 
25 can be used in the seventh embodiment of the present 
invention. 

Fig. 47 is a sixth exemplary system configuration that 
can be used in the seventh embodiment of the present 
invention . 

30 Fig. 48 is a seventh exemplary system configuration 

that can be used in the seventh embodiment of the present 
invention. 

Fig. 49 is a flow chart for a link specifying 
anonymous identification list generation processing (for 
35 MakePAT, MergePAT, SplitPAT and TransPAT) according to the 
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seventh embodiment of the present invention, 
DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS 

5 

Referring now to Fig- 1 to Fig. 7, the first 
embodiment of the email access control scheme according to 
the present invention will be described in detail. 
The email access control scheme of the present 

10 invention enables bidirectional communications between a 
sender and a recipient appropriately while maintaining 
anonymity of a sender and a recipient on a communication 
network. Basically, this is realized by disclosing only 
information indicative of characteristics of recipients in 

15 a state of concealing true identifiers of the recipients, 
and assigning limited access rights with respect to those 
who wish to carry out communications while maintaining the 
anonymity according to the disclosed information. 

More specifically, an Anonymous Identification 

20 (abbreviated hereafter as AID) that functions as a role 

identifier in which a personal information is concealed is 
assigned to a user, and this AID is disclosed on the 
network in combination with an information indicative of 
characteristics of the user such as his/her interests, age, 

25 job, etc., which cannot be used in identifying the user on 
the network but which can be useful for a sender in judging 
whether or not it is worth communicating with that user. 

Also, the sender can search out a recipient with whom 
he/she wishes to communicate by reading or searching 

30 through the disclosed information. Namely, in the case 
where the sender wishes to communicate with a recipient 
while maintaining his/her own anonymity, the sender 
specifies the AID of that recipient and acquires a 
Personalized Access Ticket (abbreviated hereafter as PAT) . 

35 The PAT contains the AIDs of the sender and the recipient 
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as well as information regarding a transfer control flag 
and a validity period. The transfer control flag is used in 
order to determine whether a Secure Communication Service 
(abbreviated hereafter as SCS) to be described below 
5 carries out the authentication with respect to the sender. 
Namely, when the transfer control flag is set ON, the SCS 
will carry out the authentication such as signature 
verification for example, with respect to the sender at a 
time of the connection request. On the other hand, when the 
10 transfer control flag is set OFF, the SCS will give the 
connection request to a physical communication network to 
which the SCS is connected, without carrying out the 
authentication. In other words, the transfer control is 
4f used in order to verify whether or not the AID is properly 

fU 15 utilized by the user to whom it is allocated by a 

^ Certification Authority (abbreviated hereafter as CA) . 

4: In the communication network realizing the email 

access control scheme of the present invention, the 
s assignment of AIDs with respect to users, the maintenance 

^ 20 of information disclosed in combination with AIDs, the 

ry issuance of PATs, and the email access control based on 

Oj PATs are realized by separate organizations. This is 

because it is more convenient to realize them by separate 
organizations from a perspective of maintaining the 
25 security of the entire network, since security levels to be 
maintained in relation to respective actions are different. 
Note however that the maintenance of the disclosed 
information and the issuance of PATs may be realized by the 
same organization. 
30 Fig. 1 shows an overall configuration of a 

communication system in this first embodiment, which is 
directed to the email service on Internet or Intranet. 

In Fig. 1, the CA (Certification Authority) 1 has a 
right to authenticate an Official Identification 
35 (abbreviated hereafter as 0ID) that identifies each 
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individual and a right to issue AIDs, and functions to 
generate AIDs from OIDs and allocate AIDs to users 3. 

The SCS (Secure Communication Service) 5 judges 
whether or not to admit a connection in response to a 
5 connection request by an email from a user 3, according to 
the PAT (Personalized Access Ticket) presented from a user 
3. The SCS 5 also rejects a connection request by an email 
according to a request from a user 3. The SCS 5 also judges 
the identity of OIDs according to a request from a user 3. 

10 An Anonymous Directory Service (abbreviated hereafter 

as ADS) 7 is a database for managing the AID, the transfer 
control flag value, the validity period value, and the 
disclosed information (such as interests, which can be 
regarded as requiring a lower secrecy compared with a 

15 personal information such as name, telephone number, and 
real email address) of each user 3. The ADS 7 has a 
function to generate the PAT from the AID of a user 3 who 
presented search conditions, the AID of a user 3 who has 
been registering the disclosed information that matches the 

20 search conditions in the ADS 7, the transfer control flag 
value given from a user 3 or administrators of the ADS, and 
the validity period value given from a user 3 or 
administrators of the ADS, and then allocate the PAT to a 
user 3 who presented the search conditions, 

25 First, a series of processing from generating the AID 

from the OID according to a request from a user until 
allocating the AID to that user will be described. 

Fig. 2 shows exemplary formats of the OID, the AID, 
and the PAT. As shown in a part (a) of Fig. 2, the OID is 

30 an information comprising an arbitrary character string 

according to a rule by which the CA 1 can uniquely identify 
the user and a public key, which is signed by the CA 1 
using a secret key of the CA 1. 

Also, as shown in a part (b) of Fig. 2, the AID is an 

35 information comprising fragments of the OID and their 
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position information, redundant character strings, and an 
SCS information given by an arbitrary character string 
(host name, real domain name, etc.) by which a host or a 
domain that is operating the SCS 5 can be uniquely 
5 identified on the network, which is signed by the CA 1 
using the secret key of the CA 1. 

Also, as shown in a part (c) of Fig. 2, the PAT is an 
information comprising the transfer control flag, AID0 , 
AIDi , and the validity period, which is signed by the ADS 7 

10 using a secret key of the ADS 7. Here, the transfer control 
flag value is defined to take either 0 or 1 . Also, the 
validity period is defined by any one or combination of the 
number of times for which the PAT is available, the 
absolute time (UTC) by which the PAT becomes unavailable, 

15 the absolute time (UTC) by which the PAT becomes available, 
and the relative time (lifetime) since the PAT becomes 
available until it becomes unavailable. 

Note that, as will be explained in the subsequent 
embodiments described below, in addition to the 1-to-l PAT 

20 which sets one sender and one recipient in correspondence 

as described above, the present invention can also use a 1- 
to-N PAT which sets one sender and N recipients, as well as 
a link specifying PAT which specifies the AID by a link 
information that is capable of specifying the AID instead 

25 of specifying the AID itself in the PAT. The link 

specifying PAT can be either a link specifying 1-to-l PAT 
or a link specifying 1-to-N PAT depending on the 
correspondence relationship between the sender and the 
recipients as described above. Namely, the PAT of the 

30 present invention can be given in four types: 1-to-l PAT, 

1-to-N PAT, link specifying 1-to-l PAT, and link specifying 
1-to-N PAT. 

Next, a procedure by which the user 3 requests the AID 
to the CA 1 will be described. The user 3 generates a pair 
35 of a secret key and a public key. Then, the user 3 and the 
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CA 1 carries out the bidirectional authentication using the 
OID of the user 3 and the certificate of the CA 1, and the 
user 3 transmits the public key to the CA 1 by arbitrary 
means. Here, there can be cases where communications 
5 between the user 3 and the CA 1 are to be encrypted. 

Next, a procedure by which the CA 1 issues the AID to 
the user 3 in response to a request for the AID as 
described above will be described. Upon receiving the 
public key from the user 3, the CA 1 generates the AID. 

10 Then, the CA 1 transmits the AID to the user 3 by arbitrary 
means. Upon receiving the AID from the CA 1, the user 3 
stores the received AID into its storage device. Here, 
there can be cases where communications between the user 3 
and the CA 1 are to be encrypted. 

15 Next, the AID generation processing at the CA will be 

described with reference to Fig. 3. 

In the procedure of Fig. 3, the CA 1 generates an 
information of a length equal to the total length L of the 
OID, and sets this information as a tentative AID (step 

20 S911) . Then, in order to carry out the partial copying of 
the OID, values of parameters pi and fti for specifying a 
copying region are determined using arbitrary means such as 
random number generation respectively (step S913) . Here, L 
is equal to the total length L of the OID, and fti is an 

25 arbitrarily defined value within a range in which a 

relationship of 0 < fti S L holds. Then, an information in a 
range between a position pi to a position pi + fti from the 
top of the OID is copied to the same positions in the 
tentative AID (step S915) . In other words, this OID 

30 fragment will be copies to a range between a position ps 
and a position pi + fti from the top of the tentative AID. 
Then, the values of pi and fti are written into a prescribed 
range in the tentative AID into which the OID has been 
partially copied, in a form encrypted by an arbitrary means 

35 (step S917) . Then, an SCS information given by an arbitrary 
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character string (host name, real domain, etc.) that can 
uniquely identify a host or a domain that is operating the 
SCS 5 on the network is written into a prescribed range in 
the tentative AID into which these values are written (step 
5 S919). Then, the tentative AID into which the above 

character string is written is signed using a secret key of 
the CA 1 (step S921) . 

Next, a procedure for registering the AID of a user-B 
3 and the disclosed information into the ADS 7 will be 

10 described. First, the bidirectional authentication by 
arbitrary means using the AID of the user-B 3 and the 
certificate of the ADS 7 is carried out between the user-B 
3 who is a registrant and the ADS 7. Then, the user-B 3 
transmits the transfer control flag value, the validity 

15 period value, and the disclosed information such as 

interests to the ADS 7. Then, the ADS 7 stores the transfer 
control flag value, the validity period value, and the 
entire disclosed information in relation to the AID of the 
user-B 3 in its storage device. Here, there can be cases 

20 where communications between the user-B 3 who is the 
registrant and the ADS 7 are to be encrypted. 

Next, a procedure by which a user-A 3 searches through 
the disclosed information that is registered in the ADS 7 
will be described. First, the bidirectional authentication 

25 by arbitrary means using the AID of the user-A 3 and the 

certificate of the ADS 7 is carried out between the user-A 
3 who is a searcher and the ADS 7. Then, the user-A 3 
transmits arbitrary search conditions to the ADS 7. Then, 
the ADS 7 presents all the received search conditions to 

30 its storage device, and extracts the AID of a registrant 
which satisfies these search conditions . Then, the ADS 7 
generates the PAT from the AID of the user-A 3, the AID of 
the registrant who satisfied all the search conditions, the 
transfer control flag value , and the validity period value. 

35 Then, the ADS 7 transmits the generated PAT to the user-A 
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3. Here, there can be cases where communications between 
the user-A 3 who is a searcher and the ADS 7 are to be 
encrypted. Note that the 1-to-l PAT is generated as a 
search result of the ADS 7. 
5 Next, the 1-to-l PAT generation processing: at the ADS 

7 will be described with reference to Fig. 4. 

First, an information of a prescribed length is 
generated, and this information is set as a tentative PAT 
(step S1210). Then, the AID of the user-A 3 who is a 

10 searcher and the AID of the user-B 3 who is a registrant 
are copied into a prescribed region of the tentative PAT 
(step S1215) . Then, the transfer control flag value and the 
validity period value are written into respective 
prescribed regions of the tentative PAT into which the AIDs 

15 are copied (step S1217). Then, the tentative PAT into which 
these values are written is signed using a secret key of 
the ADS 7 (step S1219). 

Next, the transfer control using the 1-to-l PAT will 
be described. The transfer control is a function for 

20 limiting accesses to a user who has a proper access right 

from a third person to whom the PAT has been transferred or 
who has eavesdropped the PAT (a user who originally does 
not have the access right) . 

The ADS 7 and the user-B 3 of the registrant AID can 

25 prohibit a connection to the user-B 3 from a third person 
who does not have the access right, by setting a certain 
value in to the transfer control flag of the PAT. 

When the transfer control flag value is set to be 1, 
the sender's AID is authenticated between the SCS 5 and the 

30 sender according to an arbitrary challenge/response 

process, so that even if the sender gives both the sender's 
AID and the PAT to another user other than the sender, that 
another user will not be able to make a connection to the 
registrant of the ADS 7 through the SCS 5. 

35 On the other hand, when the transfer control flag 
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value is set to be 0, no challenge/response process will be 
carried out between the SCS 5 and the sender, so that if 
the sender gives both the sender's AID and the PAT to 
another user other than the sender, that another user will 
5 also be able to make a connection to the registrant of the 
ADS 7 through the SCS 5. 

Next, the email access control method at the SCS 5 
will be described with reference to Fig. 5. 

The sender specifies "[sender's AlD]@[real domain of 
10 SCS of sender]" in From: line, and "[PAT]@[real domain of 
SCS of sender]" in To: line. 

The SCS 5 acquires a mail received by an MTA (Message 
Transfer Agent) such as SMTP (Simple Mail Transfer 
Protocol), and executes the processing of Fig. 5 as 
15 follows. 

(1) The signature of the PAT is verified using a public 
key of the ADS 7 (step S1413) . 

When the PAT is found to have been altered (step S1415 
YES), the mail is discarded and the processing is 
20 terminated (step S1416) . 

When the PAT is found to have been not altered (step 
S1415 NO), the following processing (2) is executed. 

(2) The search is carried out by presenting the sender's 
AID to the PAT (steps S1417, S1419, S1421) . 

25 When an AID that completely matches with the sender's 

AID is not contained in the PAT (step S1423 NO), the mail 
is discarded and the processing is terminated (step S1416) . 

When an AID that completely matches with the sender's 
AID is contained in the PAT (step S1423 YES), the following 

30 processing (3) is executed. 

(3) The validity period value of the PAT is evaluated 
(steps S1425, S1427) . 

When the PAT is outside the validity period (step 
S1427 NO) , the mail is discarded and the processing is 
35 terminated (step S1416) . 
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When the PAT is within the validity period (step S1427 
YES), the following processing (4) is executed. 

(4) Whether or not to authenticate the sender is 
determined by referring to the transfer control flag value 
5 of the PAT (steps S1431, S1433) . 

When the value is 1 (step S1433 YES), the 
challenge/response authentication between the SCS 5 and the 
sender is carried out, and the signature of the sender is 
verified (step S1435). When the signature is valid, the 
10 recipient is specified and the PAT is attached (step 
S1437) . When the signature is invalid, the mail is 
discarded and the processing is terminated (step S1416) . 

When the value is 0 (step S1433 NO), the recipient is 
specified and the PAT is attached without executing the 
15 challenge/response authentication (step S1437) * 

Next, an exemplary challenge/response authentication 
between the SCS 5 and the sender will be described. 

First, the SCS 5 generates an arbitrary information 
such as a timestamp, for example, and transmits the 
20 generated information to the -sender. 

Then, the sender signs the received information using 
a secret key of the sender's AID and transmits it along 
with a public key of the sender's AID. 

The SCS 5 then verifies the signature of the received 
25 information using the public key of the sender's AID. When 
the signature is valid, the recipient is specified and the 
PAT is attached. When the signature is invalid, the mail is 
discarded and the processing is terminated. 

Next, a method for specifying the recipient at the SCS 
30 5 will be described. First, the SCS 5 carries out the 

search by presenting the sender's AID to the PAT, so as to 
acquire all the AIDs which do not completely match the 
sender's AID. All these acquired AIDs will be defined as 
recipient's AIDs hereafter. Then, for every recipient's 
35 AID, the real domain of SCS of recipient is taken out from 
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the recipient's AID. Then, the recipient is specified in a 
format of "[recipient's AID] @ [real domain of SCS of 
recipient]". Finally, the SCS 5 changes the sender from a 
format of "[sender's AID]@[real domain of SCS of sender]" 
5 to a format of "sender's AID". 

Next, a method for attaching the PAT at the SCS 5 will 
be described. The SCS 5 attaches the PAT to an arbitrary 
position in the mail. The SCS 5 gives the mail to the MTA 
after specifying the sender and the recipient and attaching 
10 the PAT. 

Note that all the processings described above are the 
same in the case of the 1-to-N PAT. 

Next, a method of receiving refusal with respect to 
the PAT at the SCS 5 will be described. 

15 Receiving refusal setting: The bidirectional 

authentication is carried out by an arbitrary means between 
the user and the SCS 5. Then, the user transmits a 
registration command, his/her own AID, and arbitrary PATs 
to the SCS 5. Then, the SCS 5 verifies the signature of the 

20 received AID. If the signature is invalid, the processing 
of the SCS 5 is terminated. If the signature is valid, the 
SCS 5 next verifies the signature of each received PAT 
using a public key of the ADS. Those PATs with the invalid 
signature are discarded by the SCS 5. When the signature is 

25 valid, the SCS 5 carries out the search by presenting the 
received AID to each PAT. For each of those PATs which 
contain the AID that completely matches with the received 
AID, the SCS 5 presents the registration command and the 
PAT to the storage device such that the PAT is registered 

30 into the storage device. Those PATs which do not contain 
the AID that completely matches with the received AID are 
discarded by the SCS 5 without storing them into the 
storage device. Here, there can be cases where 
communications between the user and the SCS 5 are to be 

35 encrypted. 
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Receiving refusal execution: The SCS 5 carries out the 
search by presenting the PAT to the storage device. When a 
PAT that completely matches the presented PAT is registered 
in the storage device, the mail is discarded. When a PAT 
5 that completely matches the present PAT is not registered 
in the storage device, the mail is not discarded. 

Receiving refusal cancellation: The bidirectional 
authentication is carried out by an arbitrary means between 
the user and the SCS 5. Then, the user presents his/her own 

10 AID to the SCS 5. Then, the SCS 5 verifies the signature of 
the received AID. If the signature is invalid, the 
processing of the SCS 5 is terminated. If the signature is 
valid, the SCS 5 next presents the presented AID as a 
search condition to the storage device and acquire all the 

15 PATs that contain the presented AID, and then presents all 
the acquired PATs to the user. Then, the user selects all 
the PATs for which the receiving refusal is to be cancelled 
by referring to all the PATs presented from the SCS 5, and 
transmits all the selected PATs along with a deletion 

20 command to the SCS 5. Upon receiving the deletion command 
and all the PATs for which the receiving refusal is to be 
cancelled, the SCS 5 presents the deletion command and all 
the PATs received from the user to the storage device, such 
that all the received PATs are deleted from the storage 

25 device. 

Note that the method of receiving refusal with respect 
to the 1-to-N PAT at the SCS 5 is the same as the method of 
receiving refusal with respect to the 1-to-l PAT described 
above . 

30 Note also the the case of returning of a mail from the 

user-B to the user-A is the same as in the case of 
transmitting a mail from the user-A to the user-B. 

Next, the judgement of identity will be described with 
reference to Fig. 6 and Fig. 7. 

35 (1) An initial value of a variable OIDm is defined as a 
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bit sequence with a length equal to the total length L of 
the OID and all values equal to "0". Also, an initial value 
of a variable OIDu is defined as a bit sequence with a 
length equal to the total length of the OID and all values 
equal to "0" (step S2511) . 

(2) One AID is selected from a set of processing target 
AIDs, and the following bit processing is carried out (step 
S2513) . 

(a) Values of variables AIDm and AIDu are determined 
according to the position information contained in the AID 
(step S2515). Here, AIDn is defined as a bit sequence with 
a length equal to the total length L of the OID and a value 
of a position at which the OID information is defined is 
"1" while a value of a position at which the OID 
information is not defined is "0" (see Fig. 7). Also, AIDu 
is defined as a bit sequence with a length equal to the 
total length L of the OID and a value of a position at 
which the OID information is defined is an actual value of 
the OID information while a value of a position at which 
the OID information is not defined is 0 (see Fig. 7). 

(b) AND processing of OIDm and AIDm is carried out and 
its result is substituted into a variable OVRm (step 
S2517) . 

(c) AND processing of OVRm and AIDn as well as AND 
processing of OVRm and OIDm are carried out and their 
results are compared (step S2519). When they coincide, OR 
processing of OIDm and AIDm is carried out and its result 
is substituted into OIDm (step S2521) , while OR processing 
of OIDu and AIDu is also carried out and its result is 
substituted into OIDm (step S2523) . On the other hand, when 
they do not coincide, the processing proceeds to the step 
S2525. 

(d) An AID to be processed next is selected from a set 
of processing target AIDs. When at least one another AID is 
contained in the set, the steps S2513 to S2523 are executed 
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for that another AID. When no other AID is contained in the 
set, the processing proceeds to the step S2527. 

(e) Values of OIDti and OIDu are outputted (step 
S2527) . 

5 The value of OIDn that is eventually obtained 

indicates all positions of the OID information that can be 
recovered from the set of processing target AIDs. Also, the 
value of OIDu that is eventually obtained indicates all the 
OID information that can be recovered from the set of 

10 processing target AID. In other words, by using the values 
oi OIDn and OIDu , it is possible to obtain the OID albeit 
probabilistically when the value of OIDu is used as a 
search condition, and it is possible to quantitatively 
evaluate a precision of the above search by a ratio OIDti /L 

15 with respect to the total length L of the OID. 

As described above, in this first embodiment, the CA 1 
which is a Trusted Third Party with high secrecy and 
credibility generates the AID in which the personal 
information is concealed, from the OID that contains the 

20 highly secret personal information such as name, telephone 
number, real email address, etc., according to a user 
request, and issues the AID to the user. By identifying the 
user by this AID on the communication network as well as in 
various services provided on the communication network, it 

25 becomes possible to provide both the anonymity guarantee 

and the identity guarantee for the user. In other words, it 
becomes possible for the user to communicate with another 
user without revealing the own real name, telephone number, 
email address, etc., to that another user, and it also 

30 becomes possible to disclose the disclosed information to 
unspecified many through the ADS 7 as will be described 
below. 

The user registers the disclosed information, that is 
an information which is supposed to have a low secrecy 
35 compared with the personal information at the ADS 7. In the 
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case of searching the disclosed information and the 
registrant AID, the searcher presents the AID of the 
searcher and arbitrary search conditions to the ADS 7. The 
ADS 7 then extracts the registrant AID that satisfies these 
5 search conditions, and generates the PAT from the AID of 
the searcher and the AID of the registrant who satisfied 
the search conditions, the transfer control flag value, and 
the validity period value. 

In this 1-to-l PAT, the transfer control flag value 
10 and the validity period value are set as shown a part (c) 
of Fig. 2, and by setting up this validity period in 
advance, it is possible to limit connections from the 
sender. 

It is also possible to prohibit connections from a 

15 third person who does not have the access right, by using 
the transfer control flag value. Namely, when the transfer 
control flag value is set to be 1, the sender's AID is 
authenticated between the SCS 5 and the sender according to 
an arbitrary challenge/response process, so that even if 

20 the sender gives both the sender's AID and the PAT to 

another user other than the sender, that another user will 
not be able to make a connection to the registrant of the 
ADS 7 through the SCS 5. On the other hand, when the 
transfer control flag value is set to be 0 , no 

25 challenge/response process will be carried out between the 
SCS 5 and the sender, so that if the sender gives both the 
sender's AID and the PAT to another user other than the 
sender, that another user will also be able to make a 
connection to the registrant of the ADS 7 through the SCS 

30 5. 

It is also possible to make a connection request to 
the communication network such that a call for which the 
recipient is specified by the 1-to-l PAT will be received 
by the recipient's AID or the sender's AID defined within 
35 the PAT. In addition, it is also possible to refuse 
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receiving calls with the 1-to-l PAT selected by the 
recipient among: calls which are specified by the 1-to-l 
PAT. It is also possible to cancel the receiving refusal of 
the calls with the 1-to-l PAT selected by the recipient. In 
5 addition, as a measure against the sender who repeats the 
personal attach using a plurality of sender's AIDs by 
taking an advantage of the anonymity, it is possible to 
judge the identity of the OID from these plurality of 
sender's AIDs and it is possible to extract that OID at 
10 some probability. 

Next, with references to Fig. 8 to Fig. 24, the second 
^ embodiment of the email access control scheme according to 

g the present invention will be described in detail. 

:™ 15 In contrast to the first embodiment described above 

%i which is directed to the case where a sender and a 

recipient are set in 1-to-l correspondence, this second 
%J embodiment is directed to the case where a sender and 

!L recipients are set in 1-to-N correspondence and a 

Id 20 generation of a new PAT and a content change of the 

^ existing PAT can be made by the initiative of a user. Here, 

iV* the sender is either a holder of the PAT or a member of the 

i0 PAT. Similarly, the recipient is either a holder of the PAT 

or a member of the PAT. 
25 In general, a membership of a group communication 

(mailing list, etc.) is changing dynamically so that it is 
necessary for a host of the group communication to manage 
information on a point of contact such as telephone number, 
email address, etc., of each member. In contrast, in the 
30 case where it is only possible to newly generate a 1-to-l 
PAT as in the first embodiment, the management of a point 
of contact is difficult. For example, it is difficult to 
manage the group collectively, and even if it is given to 
the others for the purpose of the transfer control, it does 
35 not function as an address of the group communication such 
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as mailing list. 

In this second embodiment, in order to resolve such a 
problem, it is made possible to carry out a generation of a 
new 1-to-N PAT and a content change or the existing 1-to-N 
5 PAT by the initiative of a user. 

First, the definition of various identifications used 
in this second embodiment will be described with references 
to Fig. 8 and Fig. 9. 

As shown in a part (a) of Fig. 8, the OID is an 
10 information comprising an arbitrary character string 

(telephone number, email address, etc.) according to a rule 
by which the CA 1 can uniquely identify the user and a 
public key, which is signed by the CA 1* 

Also, as shown in a part (b) of Fig. 8, the AID is an 
15 information comprising fragments of the OID and their 

position information, redundant character strings, and an 
SCS information given by an arbitrary character string 
(host name, real domain name, etc.) by which a host or a 
domain that is operating the SCS 5 can be uniquely 
20 identified on the network, which is signed by the CA 1. 

Also, as shown in a part (c) of Fig. 8, the 1-to-N PAT 
is an information comprising two or more AIDs, a holder 
index, the validity period, the transfer control flag, and 
a PAT processing device identifier, which is signed using a 
25 secret key of the PAT processing device. 

Here, one of the AIDs is a holder AID of this PAT, 
where the change of the information contained in the PAT 
such as an addition of AID to the PAT, a deletion of AID 
from the PAT* a change of the validity period in the PAT, a 
30 change of the transfer control flag value in the PAT, etc., 
can be made by presenting the holder AID and a 
corresponding Enabler to the PAT processing device. 

On the other hand, the AIDs other than the holder AID 
that are contained in the PAT are all member AIDs, where a 
35 change of the information contained in the PAT cannot be 
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made even when the member AID and a corresponding Enabler 
are presented to the PAT processing device. 

The holder index is a numerical data for identifying" 
the holder AID, which is defined to take a value 1 when the 
5 holder AID is a top AID in the AID list formed from the 
holder AID and the member AIDs, a value 2 when the holder 
AID is a second AID from the top of the AID list, or a 
value n when the holder AID is an n-th AID from the top of 
the AID list. 

10 The transfer control flag value is defined to take 

either 0 or 1 similarly as in the case of the 1-to-l PAT. 

The holder AID is defined to be an AID which is 
written at a position of the holder index value in the AID 
list. The member AIDs are defined to be all the AIDs other 

15 than the holder AID, 

The validity period is defined by any one or 
combination of the number of times for which the PAT is 
available, the absolute time (UTC) by which the PAT becomes 
unavailable, the absolute time (UTC) by which the PAT 

20 becomes available, and the relative time (lifetime) since 
the PAT becomes available until it becomes unavailable. 

The identifier of a PAT processing device (or a PAT 
processing object on the network) is defined as a serial 
number of the PAT processing device (or an distinguished 

25 name of the PAT processing object on the network) . The 
secret key of the PAT processing device (or the PAT 
processing object on the network) is defined to be uniquely 
corresponding to the identifier. 

Also, in this second embodiment, an Enabler is 

30 Introduced as an identifier corresponding to the AID. As 

shown in Fig. 9, the Enabler is an information comprising a 
character string uniquely indicating that it is an Enabler 
and an AID itself, which is signed by the CA 1. 

Next, the operations for a generation of a new PAT and 

35 a content change of the existing PAT will be described. 
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Here, the following- operations are defined at a secure PAT 
processing device on the communication terminal or a PAT 
processing object on the CA or on a network which is 
properly requested from the CA (which will also be referred 
5 to as a PAT processing: device hereafter). 
1. Editing of AID list: 

A list of AIDs (referred hereafter as an AID list) 
contained in the PAT is edited using AIDs and Enabler. 
Else, the AID list is newly generated. 
10 2. Setting of the validity period and the transfer 
control flag: 

The validity period value and the transfer control 
flag value contained in the PAT are changed using an AID 
and Enabler. Also, a new validity period value and a new 
15 transfer control flag value are set in the newly generated 
AID list. 

A user who presented the holder AID and the Enabler 
corresponding to this holder AID to the PAT processing 
device can edit the list of AIDs contained in the PAT. In 
20 this case, the following processing rules are used. 
(1) Generating a new PAT (MakePAT) (see Fig. 10): 

The AID list ( ALIST<holder AID I member AIDi , member 
AID2 , , member AIDn >) is newly generated, and the 
validity period value and the transfer control flag value 
25 are set with respect to the generated ALIST. 
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AIDa + AIDb + Enabler of AIDe + Enabler of AIDa 

* ALIST<AIDa I AIDe > 

5 

ALISKAIDa I AIDb > + Enabler of AIDa 
+ validity period value 
10 + transfer control flag value 

* PAKAIDa I AIDb> 

(2) Merging PATs (MergePAT) (see Fig. 11): 
15 A plurality of ALISTs of the same holder AID are 

merged and the validity period value and the transfer 
control flag value are set with respect to the merged 
ALIST. 

20 ALISKAIDa I AIDb i , AIDb £ , • > 

+ ALISKAIDa 1 AIDci , AIDc 2 , > 
+ Enabler of AIDa 

25 

* ALISKAIDa I AIDb i , AIDb 2 , - , AIDc 1 , AIDc 2 , > 

ALISKAIDa | AIDe i , AIDb 2 , , AIDc t , AIDc 2 , > 

30 + Enabler of AIDa + validity period value 

+ transfer control flag value 

-> PAKAIDa I AIDb 1 , AIDb 2 , , AIDc 1 , AIDc 2 » > 

35 
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(3) Splitting: a PAT (SplitPAT) (see Fig. 12): 

The ALIST is split into a plurality of ALlSTs of the 
same holder AID, and the respective validity period value 
and transfer control flag value are set with respect to 
5 each one of the split ALlSTs. 

ALIST<AIDa I AIDe i , AIDb 2 , , AIDc i , AIDc 2 , > 

+ Enabler of AIDa 

10 

■> ALIST<AIDa I AIDsi , AIDb 2 , > 

+ ALIST<AIDa I AIDci , AIDc 2 » " > 

15 ALIST<AIDa I AIDc 1 , AIDc 2 , > 

+ Enabler of AIDa + validity period value 
+ transfer control flag value 

20 

•» PAT<AIDa I AIDc 1 , AIDc 2 , > 

(4) Changing a holder of a PAT (TransPAT) (see Fig. 13): 
The holder AID of the ALIST is changed, and the 

25 validity period value and the transfer control flag value 
are set with respect to the changed ALIST. 


30 


35 
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ALIST<AIDa I AIDb> + ALIST<AIDa i AIDci , AIDc 2 , 


> 


+ Enabler of AIDa + Enabler of AIDb 


5 


-> ALIST<AIDb I AIDc 1 , AIDc 2 , 


> 


ALISKAIDb I AIDc 1 , AIDc 2 , 


> 


10 


+ Enabler of AIDb + validity period value 


+ transfer control flag value 


-> PAT<AIDb I AIDc 1 , AIDc 2 , 


> 


15 


In the operation for setting the validity period 
value, in order to permit the setting of the validity 
period value only to a user who holds both the holder AID 
and the corresponding Enabler, the following operation is 
20 defined. 


PAT<AIDa I AIDb> 

In the operation for setting the transfer control flag 
value, in order to permit the setting of the transfer 
30 control flag value only to a user who holds both the holder 
AID and the corresponding Enabler, the following operation 
is defined. 


PAKAIDa I AIDb > + Enabler of AIDa 


+ validity period value 


25 


35 
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PAT<AIDa I AIDb > + Enabler of AIDa 


+ transfer control flag value 

5 

PAKAIDa I AIDe > 

Next, with references to Fig. 14 to Fig. 20, the 
overall system configuration of this second embodiment will 

10 be described. In Fig. 14 to Fig. 20, the user-A who has 

AIDa allocated from the CA stores AIDa and Enabler of AIDa 
in a computer of the user-A, and the input/output devices 
such as floppy disk drive, CD-ROM drive, communication 
board, microphone, speaker, etc., are connected. Else, AIDa 

15 and Enabler of AIDa are stored in a communication terminal 
(telephone, cellular phone, etc.) which has a storage 
device and a data input/output function. 

Similarly, the user-B who has AIDb allocated from the 
CA stores AIDb and Enabler of AIDb in a computer of the 

20 user-B, and the input/output devices such as floppy disk 
drive, CD-ROM drive, communication board, microphone, 
speaker, etc., are connected. Else, AIDb and Enabler of 
AIDb are stored in a communication terminal (telephone, 
cellular phone, etc.) which has a storage device and a data 

25 input/output function. 

In the following, a procedure by which the user-A 
generates PAKAIDa I AIDb > will be described. 

(1) The user-A acquires AIDb and Enabler of AIDb using any 
of the following means. 

30 * AIDb and Enabler of AIDb are registered at the ADS 

7, and it is waited until the user-A acquires them as a 
search result (Fig. 14). 

* AIDb and Enabler of AIDb are directly transmitted to 
the user-A by the email, signaling, etc. (Figs. 15, 16). 

35 * AIDb and Enabler of AIDb are stored in a magnetic, 
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optic, or electronic medium such as floppy disk, CD-ROM, 
MO, IC card, etc., and this medium is given to the user-A. 
Else, it is waited until the user acquires them by reading 
this medium (Figs. 17, 18). 
5 * AIDb and Enabler of AIDb are printed on a paper 

medium such as book, name card, etc., and this medium is 
given to the user-A. Else, it is waited until the user-A 
acquire them by reading this medium (Figs. 19, 20). 
(2) The user-A who has acquired AIDb and Enabler of AIDb 
10 by any of the means described in the above (1) issues the 
MakePAT command to the PAT processing device. This 
procedure is common to Fig. 14 to Fig. 20, and defined as 
follows. 

(a) The user-A requests the issuance of the MakePAT 
15 command by setting AIDa , Enabler of AIDa » AIDb , Enabler of 

AIDb , the validity period value, and the transfer control 
flag value into the communication terminal of the user-A. 

(b) The communication terminal of the user-A generates 
the MakePAT command. 

20 (c) The communication terminal of the user-A transmits 

the generated MakePAT command to the PAT processing device 
by means such as the email, signaling, etc. (the issuance 
of the MakePAT command) . 

(d) The PAT processing device generates PAT<AIDa I 

25 AIDb > by processing the received MakePAT command according 
to Fig, 21 and Fig. 23. More specifically, this is done as 
follows . 
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AIDa + AIDb + Enabler of AIDb + Enabler of AIDs 
^ ALIST<AIDa I AIDb > 

5 

ALIST<AIDa I AIDb > + Enabler of AIDa 

+ validity period value + transfer control flag value 
10 ■> PAKAIDa I AIDe > 

(e) The PAT processing device transmits the generated 
PAT<AIDa i AIDb > to the communication terminal of the user- 
A, or to the communication terminal of the user-B according 

15 to the need, by means such as the email, signaling, etc, 

(f ) The communication terminal of the user-A (or the 
user-B) stores the received PAT<AIDa I AIDb > in the storage 
device of the communication terminal of the user-A. 

The merging of PATs (MergePAT, Fig. 21, Fig. 23), the 
20 splitting of a PAT (SplitPAT, Fig. 22, Fig. 23), and the 
changing of a holder of a PAT (TransPAT, Fig. 21, Fig. 23) 
are also carried out by the similar procedure. 

Next, the procedure of MakePAT, MergePAT and TransPAT 
will be described with reference to Fig. 21. 
25 (1) The holder AID is specified (step S4411) . 

(2) All the member AIDs are . specif ied (step S4412). 

(3) The AID list is generated from the specified holder 
AID and all the specified member AIDs (step S4413) . More 
specifically, the specified holder AID and all the 

30 specified member AIDs are concatenated using arbitrary 
means . 

(4) A tentative PAT is generated using arbitrary means, 
similarly as in the case of a tentative AID (step S4414) . 

(5) The generated AID list is copied to a prescribed 
35 region of the generated tentative PAT (step S4415). 
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(6) The holder index value is written into the tentative 
pat to which the AID list has been copied (step S4416). 

(7) The transfer control flag- value is written into the 
tentative PAT into which the holder index value has been 

5 written (step S4417) . 

(8) The validity period value is written into the 
tentative PAT into which the transfer control flag value 
has been written (step S4418) . 

(9) The PAT processing device identifier is written into 
10 the tentative PAT into which the validity period value has 

been written (step S4419). 

(10) The tentative PAT into which the PAT processing 
device identifier has been written is signed using the 
secret key of the PAT processing device (step S4420) . 

15 Next, the procedure of SplitPAT will be described with 

reference to Fig. 22. 

(1) The holder AID is specified (step S4511). 

(2) All the AIDs to be the member AIDs of the PATs after 
the splitting are specified (step S4512) . 

20 (3) The AID list is generated from the specified holder 
AID and all the specified member AIDs (step S4513) . More 
specifically, the specified holder AID and all the 
specified member AIDs are concatenated using arbitrary 
means . 

25 (4) A tentative PAT is generated using arbitrary means, 
similarly as in the case of a tentative AID (step S4514) . 

(5) The generated AID list is copied to a prescribed 
region of the generated tentative PAT (step S4515). 

(6) The holder index value is written into the tentative 
30 pat to which the AID list has been copied (step S4516) . 

(7) The transfer control flag value is written into the 
tentative PAT into which the holder index value has been 
written (step S4517) . 

(8) The validity period value is written into the 

35 tentative PAT into which the transfer control flag value 
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has been written (step S4518). 

(9) The PAT processing device identifier is written into 
the tentative PAT into which the validity period value has 
been written (step S4519) . 
5 (10) The tentative PAT into which the PAT processing 
device identifier has been written is signed using the 
secret key of the PAT processing device (step S4520) . 

(11) In the case of continuing the splitting (step S4521 
YES), the procedure returns to (2), and repeats (2) to (10) 

10 sequentially. 

Note that, in the procedures of Fig. 21 and Fig. 22, 
the AID list generation is carried out according to Fig. 23 
as follows. Namely, a buffer length is determined first 
(step S4611) and a buffer is generated (step S4612) . Then, 

15 the holder AID is copied to a vacant region of the 

generated buffer (step S4613) . Then, the member AID is 
copied to a vacant region of the resulting buffer (step 
S4614), and if the next member AID exists (step S4615 YES), 
the step S4614 is repeated. 

20 Next, the determination of the holder AID will be 

described. Each of the MakePAT, the MergePAT, the SplitPAT, 
and the TransPAT commands is defined to have two or more 
arguments, where AID, PAT, or Enabler can be specified as 
an argument. In this case, the PAT processing device 

25 specifies the holder AID of the PAT to be outputted after 
executing each command according to the following rules. 
* Case of the MakePAT: 

For the MakePAT command, it is defined that AIDs are 
to be specified for the first argument to the N-th argument 

30 (N = 2, 3, ) and Enablers are to be specified for the 

N+l-th and subsequent arguments. For example, they can be 
specified as follows. 


35 
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MakePAT AIDi , AID2 , , AIDn , Enabler of AIDi , 


Enabler of AID2 , Enabler of AIDn 

5 

The PAT processing device Interprets the AID of the 
first argument of the MakePAT command as the holder AID. 

Only when one of the Enablers of the N+l-th and 
subsequent arguments corresponds to the AID of the first 
10 argument, the PAT processing device specifies this AID 

(that is the AID of the first argument) as the holder AID 
of the PAT to be outputted after executing the MakePAT 
command . 

* Case of the MergePAT: 

15 For the MergePAT command, it is defined that PATs are 

to be specified for the first argument to the N-th 

argument (N = 2, 3, ) and Enabler is to be specified for 

the N+l-th argument. Namely, they can be specified as 
follows . 

20 

MergePAT PATi PAT2 - PATn Enabler of AID 

The PAT processing device interprets the holder AID of 
the PAT of the first argument of the MergePAT command as 

25 the holder AID of the PAT to be outputted after executing 
the MergePAT command. 

Only when the Enabler of the N+l-th argument 
corresponds to the holder AID of the PAT of the first 
argument, the PAT processing device specifies this AID 

30 (that is the holder AID of the PAT of the first argument) 
as the holder AID of the PAT to be outputted after 
executing the MergePAT command. 

* Case of the SplitPAT: 

For the SplitPAT command, it is defined that PAT is to 
35 be specified for the first argument, a set of one or more 
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10 


30 


AIDs grouped together by some prescribed symbols (assumed 
to be parentheses () in this example) are to be specified 
for the second argument to the N-th argument (N = 3, 4, 

) , and Enabler is to be specified for the N+l-th 

argument. Namely, they can be specified as follows. 

SplitPAT PATi (AIDi i ) (AIDa i AID? 2 ) 

(AIDim i AIDns AIDnm) Enabler of AID 


The PAT processing device interprets the holder AID of 
the PAT of the first argument of the SplitPAT command as 
the holder AID of the PAT to be outputted after executing 
the SplitPAT command. 

15 Only when the Enabler of the N+l-th argument 

corresponds to the holder AID of the PAT of the first 
argument, the PAT processing device specifies this AID 
(that is the holder AID of the PAT of the first argument) 
as the holder AID of the PAT to be outputted after 

20 executing the SplitPAT command. 
* Case of the TransPAT: 

For the TransPAT command, it is defined that PATs are 
to be specified for the first argument and the second 
argument, AID is to be specified for the third argument, 
25 and Enablers are to be specified for the fourth argument 
and the fifth argument. Namely, they can be specified as 
follows . 


TransPAT PATi PAT2 AID Enabler of AIDi Enabler of AID? 


The PAT processing device interprets the AID of the 
third argument as the holder AID of the PAT to be outputted 
after executing the TransPAT command provided that the AID 
of the third argument of the TransPAT command is contained 
35 in the PAT of the second argument. 
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Only when the Enabler of the fourth argument 
corresponds to both the PAT of the first argument and the 
PAT of the second argument and the Enabler of the fifth 
argument corresponds to the AID of the third argument, the 
5 PAT processing device specifies the AID of the third 

argument as the holder AID of the PAT to be outputted after 
executing the TransPAT command. 

Next, the determination of the member AIDs will be 
described. The definitions of the MakePAT, the MergePAT, 
10 the SplitPAT, and the TransPAT commands are as described 
above. The PAT processing device specifies the member AIDs 
of the PAT to be outputted after executing each command 
according to the following rules. 

* Case of the MakePAT: 

15 Only when the holder AID of the PAT to be outputted 

after executing the MakePAT command is formally determined, 
the PAT processing device interprets all the AIDs of the 
second and subsequent arguments of the MakePAT command as 
the member AIDs of the PAT to be outputted after executing 

20 the MakePAT command. 

The PAT processing device specifies only those AIDs 
among all the AIDs of the second and subsequent arguments 
which correspond to the Enablers specified by the N+l-th 
and subsequent arguments as the member AIDs of the PAT to 

25 be outputted after executing the MakePAT command. 

* Case of the MergePAT: 

Only when the holder AID of the PAT to be outputted 
after executing the MergePAT command is formally 
determined, the PAT processing device specifies the member 
30 AIDs of all the PATs specified by the first to N-th 

arguments of the MergePAT as the member AIDs of the PAT to 
be outputted after executing the MergePAT command. 

* Case of the SplitPAT: 

Only when the holder AID of the PAT to be outputted 
35 after executing the SplitPAT command is formally 
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determined, the PAT processing device specifies the member 
AID of the PAT specified by the first argument of the 
SplitPAT command as the member AID of the PAT to be 
outputted after executing the SplitPAT command. At this 
5 point, the member AIDs are distributed into different PATs 
in units of parentheses (). For example, in the case of: 

SplitPAT PAT (AIDi i ) (AIDs 3 AIDs 2 ) 

10 (AIDni AIDns AIDnm) Enabler of AID 

(AID1 1 ) , (AID21 AID22) and (AIDni AIDn 2 AIDn n ) will be 

the member AIDs of different PATs having a common holder 
AID. 

15 * Case of TransPAT: 

Only when the holder AID of the PAT to be outputted 
after executing the TransPAT command is formally 
determined, the PAT processing device specifies all the 
member AIDs remaining after excluding the member AID that 

20 is scheduled to be a new holder AID from all the member 
AIDs of the PAT specified by the first argument of the 
TransPAT command and the member AIDs of the PAT specified 
by the second argument as the member AIDs of the PAT to be 
outputted after executing the TransPAT command, 

25 Next, the verification of the properness of the 

Enabler will be described. This verification of the 
properness of the Enabler is common to the MakePAT, the 
MergePAT, the SplitPAT and the TransPAT, and carried out 
according to Fig. 24 as follows. 

30 (1) AID and Enabler are entered (step S5511) . 

(2) Each of these entered AID and Enabler is verified 
using the public key of the CA 1 (step S5512) ♦ If at least 
one of them is altered (step S5513 YES), the processing is 
terminated . 

35 (3) A character string for certifying that it is Enabler 
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is entered (step S5514) . 

(4) The top field of the Enabler of the step S5511 and the 
character string of the step S5514 are compared (step 
S5515). If they do not match (step S5516 NO), the 

5 processing 1 is terminated. 

(5) If they match (step S5516 YES), the AID of the step 
S5511 and the AID within the Enabler are compared (step 
S5517) . 

(6) A comparison result is outputted (step S5519) . 

10 

Next, with references to Fig. 25 to Fig. 28, the third 
embodiment of the email access control scheme according 1 to 
the present invention will be described in detail* 

In the generation of a new PAT (MakePAT) and the PAT 

15 holder change (TransPAT) of the above described embodiment, 
it is necessary to give member AIDs and Enablers of member 
AIDs to the holder of the PAT, but when they are given to 
the holder, it becomes possible for that holder to 
participate the group communications hosted by the other 

20 holders by using the acquired member AIDs. Namely, there 
arises a problem that the pretending using the member AIDs 
become possible. Moreover, if that holder places the 
acquired member AIDs and Enablers of member AIDs on a 
medium that is readable by unspecified many, these member 

25 AIDs become accessible to anyone so that there arises a 

problem that the harassment to the users of the member AIDs 
may occur and the pretending using the member AIDs by a 
third person also become possible. 

For this reason, in this third embodiment, it is made 

30 possible to carry out the MakePAT and the TransPAT without 
giving the Enablers of member AIDs to the holder. 

To this end, in this third embodiment, the generation 
of a new PAT and the content change of the existing PAT are 
carried out by using Null-AID (AIDnui i ) and Enabler of 

35 Null-AID (Enabler of AIDn u i ? ) . 
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Here, the processing involving the Null-AID obeys all 
of the following rules: 

(a) the processing rules of MakePAT, MergePAT, SplitPAT 
and TransPAT as in the above described embodiment; and 
5 (b) the rules applicable only to the Null-AID, including: 

(i) Null-AID is known to every user, and 

(ii) Enabler of Null-AID is known to every user. 
Here, the processing rules as defined in the above 

described embodiment in the case of this third embodiment 
10 will be described. 

(1) Making a PAT from plural AIDs (MakePAT): 

AIDh older + AIDrn eitberl + AIDm e rn b e r 2 + + AIDm em be r N 

15 + Enabler of AIDm e m b e r i + Enabler of AID m embers + 

+ Enabler of AIDm e m b e r n + Enabler of AIDh older 

PAT<AIDh older | AIDm e m b e r 1 , AID™ e m b e r 2 . • 

20 

AIDm e m b e r H > 

(2) Merging plural PATs of the same holder (MergePAT): 

25 


30 


35 
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PAT<AIDh older I AIDm emberal , AIDm e m b e r a 2 , , 

AIDnt e m b e r a 11 > 
+ PAT<AIDh older | AIDm eraberbl , AIDm e rn b e r b 2 , , 

AIDm e m b e r b N > 

+ Enabler of AIDh o i d e r 

^ PAT<AIDh older | AIDm e m b e r a 1 , AIDm e m b e r 3.2 , , 

AIDm e m b e r a M , AIDm emberbl , AIDm e m b e r b 2 , , 
AIDm e m b e r b N > 

(3) Splitting: a PAT into plural PATs of the same holder 
(SplitPAT) : 

PAKAIDh older | AIDm eraberal , AIDm e m b e r a2 , , 

AIDm e m b e r a M , AIDm e m b e r b 1 , AIDm e m b e r b 2 , , 
AIDm emberb!M> 

+ Enabler of AIDh older 

^ PAT<AIDh older | AIDm e m b e r a 1 , AIDm e m b e r a 2 , » 
AIDm era be rail > 

+ PAT<AIDh older | AIDm e m b e r b 1 , AIDm e m b e r b 2 , , 
AIDm emberbN> 

-75- 


(4) Changing: a holder AID of a PAT (TransPAT) 


PAT<AIDh older I AIDm e m b e r a 1 , AIDm e m b e r a 2 , , 

AIDm e m b e r a M > + PAT<AIDh older | AIDn e w h o 1 d e r > 

+ Enabler of AIDh older + Enabler of AIDn e w h 0 1 d e r 

-» PAT<AIDn e w h o 1 d e r I AIDm e m b e r a 1 , AIDm e m b e r a 2 , , 
AIDm emberaN> 

The method for specifying the validity period value 
and the transfer control flag: value in the PAT containing 
the Null-AID is similar to the method for specifying the 
validity period value and the transfer control flag value 
in the second embodiment described above. Next, the 
exemplary processings involving the Null-AID will be 
described, 

(1) Case of producing PAT<AIDn u i 1 I AIDa > from AIDa and 
Enabler of AIDa : 

(a) According to the above described rules (b)(i) and 
(b)(ii) of the Null-AID, AIDn u i i and Enabler of AIDn u i i are 

known . 

(b) Using MakePAT, 

AIDnui i + AIDa + Enabler of AIDa + Enabler of AIDn u i i 
-> PAT<AIDn u i i I AIDa > . 

(2) Case of producing PAT<AIDn u i i I AIDa, AIDb > from 
PAT<AIDn u i i I AIDa > and PAT<AIDn u i i I AIDb > : 

(a) According to the above described rules (b)(i) and 
(b)(ii) of the Null-AID, AIDnum and Enabler of AIDnuh are 
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known . 

(b) Using: MergePAT, 


PAT<AIDn u i i i AIDa > + PAKAIDn u i i 1 AIDb > 

5 

+ Enabler of AIDn u i i 

1 PAT<AIDn u i i I AIDa , AIDb > . 

10 (3) Case of producing PAT<AIDa I AIDb > from PAT<AIDn u i ? I 
AIDa>, PAT<AIDnu)i I AIDb> and Enabler of AIDa: 

(a) According to the above described rules (b)(i) and 
(b)(ii) of the Null-AID, AIDn u i i and Enabler of AIDn u i i are 
known . 

15 (b) Using TransPAT, 

PAKAIDn u i i 1 AIDa > + PAT<AIDn u i i I AIDb > 
+ Enabler of AIDn u i i + Enabler of AIDa 
* PAKAIDa I AIDb>. 


20 


As shown in Fig. 25, the data structure of the Null- 
AID comprises a character string uniquely indicating that 
25 it is Null-AID (a character string defined by the CA, for 
example), which is signed by the CA using the secret key of 
the CA. 

Also, as shown in Fig. 26, the data structure of the 
Enabler of Null-AID comprises a character string uniquely 
30 indicating that it is Enabler (a character string defined 
by the CA, for example) and the Null-AID itself, which is 
signed by the CA using the secret key of the CA. 

Note that the Null-AID and the Enabler of Null-AID are 
maintained at secure PAT processing devices and secure PAT 
35 certification authority. 
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Next, the first exemplary application of this third 
embodiment will be described with reference to Fig. 27, 
which includes the following operations. 

(1) The user-B (PAT member) generates PAT<AIDn u i 1 I 

5 AIDb > by executing the above described exemplary processing 
(1) involving the Null-AID at the secure PAT processing 
device which is connected with the terminal of the user-B, 
and gives it to the user-A (PAT holder) by arbitrary means. 

(2) The user-A who received PAT<A1Dn u i i I AIDb > 
10 carries out the following operations at the secure PAT 

processing device which is connected with the terminal of 
the user-A. 

(a) PAT<AIDnum I AIDa > is produced by executing 
the above described exemplary processing (1) involving the 

15 Null-AID. 

(b) PAT<AIDa I AIDb > is produced by executing the 
above described exemplary processing (3) involving the 
Null-AID. 

(3) The user-A gives the generated PAT<AIDa I AIDb > to 
20 the user-B by arbitrary means. 

Note that the method for determining the validity 
period is the same as described above so that it will not 
be repeated here. Also, the processing involving the Null- 
AID is the same as described- above so that it will not be 

25 repeated here. 

In the case of giving PAT<AIDn u ii I AIDa , AIDb > to the 

user-B , the above described exemplary processing (2) 

involving the Null-AID will be executed in the operation 

(2) described above. 
30 Next, the second exemplary application of this third 

embodiment will be described with reference to Fig. 28, 

which includes the following operations. 

(1) The user-B (PAT member) produces PAT<AIDn u i i I 

AIDb > by executing the above described exemplary processing 
35 (1) involving the Null-AID at the. secure PAT processing 
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device which is connected with the terminal of the user-B, 
and registers it along: arbitrary disclosed information at 
the ADS. 

(2) The user-A produces PAT<AIDn u i 1 I AIDa > by 
executing the above described exemplary processing (1) 
involving the Null-AID at the secure PAT processing device 
which is connected with the terminal of the user-A, and 
presents it along arbitrary search conditions to the ADS. 

(3) When the personal information of the user-B 
satisfies the search conditions presented by the user-A, 
the secure PAT processing device connected with the ADS 
carries out the following operations. 

(a) PAT<AIDnuii I AIDa, AIDb > is produced by 
executing the above described exemplary processing (2) 
involving the Null-AID. 

(b) The produced PAT<AIDn u ii I AIDa, AIDb > is 
given to the ADS. 

(4) The ADS gives PAT<AIDn u i i I AIDa, AIDb > produced 
by the PAT processing device to the user-A, 

(5) The user-A who received PAT<AIDn u i i I AIDa, AIDb > 
produces PAT<AIDa I AIDb > by executing the following 
TransPAT processing at the secure PAT processing device 
which is connected with the terminal of the user-A. 

PAT<AIDn u i i I AIDa > + PAT<AIDn uii I AIDa , AIDb > 

+ Enabler of AIDn u \ i + Enabler of AIDa 

-> PAT<AIDa I AIDb > . 

Note that the method for determining the validity 
period is the same as described above so that it will not 
be repeated here. Also, the processing involving the Null- 
AID is the same as described above so that it will not be 
repeated here. 
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In the case of generating PAKAIDa I AIDe > at the PAT 
processing device connected with the ADS, Enabler of AIDa 
will be given to that PAT processing device, and the above 
described exemplary processing (3) involving the Null-AID 
5 will be executed in the operation (3) described above. 

In the case of generating PAT<AIDb I AIDa > at the PAT 
processing device connected with the ADS and giving it to 
the user-B, Enabler of AIDe will be given to that PAT 
processing device, and the above described exemplary 
10 processing (3) involving the Null-AID will be executed in 
the operation (3) described above. 

Next, with references to Fig. 29 to Fig. 31, the 
fourth embodiment of the email access control scheme 
15 according to the present invention will be described in 
detail . 

In the group communication, a situation where it is 
desired to fix the participants is frequently encountered, 
but the above described embodiment does not have a function 
20 for making it impossible to change the PAT so that the 
participants cannot be fixed. Namely, in the above 
described embodiment, whether or not to fix the 
participants is left to the judgement of the holder of the 
PAT. 

25 For this reason, in this fourth embodiment, a read 

only attribute is set up in the PAT. More specifically, in 
this fourth embodiment, the read only attribute is set up 
in the PAT by using God-AID (AIDcod ). 

Here, the processing involving the God-AID obeys all 

30 of the following rules: 

(a) God-AID is known to every user, and 

(b) the processing involving God-AID is allowed only in 
the following cases: 

(i) a case where the AIDh older is neither AIDn u i i nor 
35 AIDe o d : 
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PAT<AIDh older | AIDm emberl , AIDm e nt b e r 2 , , 

AIDm e m b e r N > + Enabler Of AIDh older 

PAT<AIDg o d I AIDh older , AIDm e m b e r 1 , AIDm e m b e r 2 , , 

AIDm e m b e r N > 

( ii) a case where AIDh older is AIDn u i i : 

PAT<AIDn u 1 1 I AIDm e in b e r 1 , AIDm e m b e r 2 , , AIDm e rn b e r N > 

+ Enabler of AIDnuii 

^ PAT<AIDg o d | AIDm e m b e r 1 , AIDm e m b e r 2 , , 
AIDm e m b e r N > 

As shown in Fig-* 29, the data structure of the God-AID 
comprises a character string uniquely indicating that it is 
God-AID (a character string defined by the CA, for 
example) , which is signed by the CA using the secret key of 
the CA. The God-AID is maintained at the secure PAT 
processing devices and the secure PAT certification 
authority described above. 

The processings of a PAT that contains the Null-AID 
are according to Fig. 21 to Fig. 24. When the holder AID is 
neither Null-AID nor God-AID, the God-AID is appended to 
the AID list and the holder index value is specified to be 
a position of the God-AID in the AID list after appending 
the God-AID. When the holder AID is Null-AID, the Null-AID 
is deleted from the AID list, the God-AID is appended to 
the AID list, and then the holder index value is specified 
to be a position of the God-AID in the AID list after 
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10 


25 


30 


appending the God-AID. 

Next, the exemplary application of this fourth 
embodiment will be described with reference to Fig. 30. 

In the case of producing PAKAIDg o d I AIDa , AIDb > from 
PAKAIDn u i i I AIDa > and PAKAIDn u ii I AIDb > , the following 
processing Is executed at the secure PAT processing device 
which is connected with the terminal of the PAT holder 
(user-A in Fig. 30). 

(1) Using MergePAT, 


PAT<AIDn u i i | AIDa > + PAT<AIDn u i i I AIDb > 
+ Enabler of AIDn □ i i 
15 PAT<AIDn u i i I AIDa , AIDb > . 

(2) According to the above described rule (a) of the 
God-AID, AIDcod is known. 

(3) According to the above described rule (b)(ii) of 
20 the God-AID, 

PAT<AIDwu i i I AIDa , AIDb > + Enabler of AIDn u i i 

PAT<AIDg o d I AIDa , AIDb > 


The above processing is also executed at the secure 
PAT processing device connected with a computer (search 
engine, etc.) of the third person (Fig. 31) or at the 
secure PAT certification authority. 


Next, with reference to Fig. 32, the fifth embodiment 
of the email access control scheme according to the present 
invention will be described in detail. 

When the Null-AID is added as described in the third 
35 embodiment, there arises a problem that it becomes possible 
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for the holder of the PAT (the user of the holder AID) to 
transfer the access right with respect to the member (the 
user of the member AID) to the third person, and moreover 
this transfer can be done without a permission of the 
5 member, as will be described now. 

(1) The holder-A of PAT<AIDa I AIDb > (for the member-B) 
produces PAT<AIDn u i i I AIDb > by using PAT<AIDa | AIDb>, 
AlDfl and Enabler of AIDa . Here, it is assumed that the 
holder-A knows all of AIDa , Enabler of AIDa , AIDn u i i , and 
10 Enabler of AIDn u i i in addition to PAT<AIDa | AIDb>. 

(a) The holder-A produces PAT<AIDp | AIDnuii> using 
the MakePAT as follows. 

AIDa + AIDn U 11 + Enabler of AIDn u i i + Enabler of AIDa 

15 

-> PAT<AIDa I AIDn u ii> 

(b) The holder-A produces PAT<AIDnum | AIDb > using 
the TransPAT as follows. 

20 

PAT<AIDa I AIDb > + PAT<AIDa I AIDn u h> 

+ Enabler of AIDa + Enabler of AIDn u i i 

25 PAT<AIDn u i i I AIDb > 

After the above described operation (1Mb), the 
holder-A gives PAT<AIDnuii I AIDb > to the third person-C, 
the following operation (2) becomes possible. 
30 (2) The third person-C produces PAT<AIDc I AIDb > by using 
PAT<AIDnuii I AIDb>. Here, it is assumed that the third 
person-C knows all of AIDc , Enabler of AIDc , AIDn u i i » and 
Enabler of AIDn u i i in addition to PAT<AIDn u i i I AIDb > . 

(a) The third person-C produces PAT<AIDn u i i I AIDc > 
35 using the MakePAT as follows. 
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AIDnuii + AIDc + Enabler of AIDc + Enabler of AIDn u i t 


10 


■* PAT<AIDn u i i I AIDc > 

(b) The third person-C produces PAT<AIDc I AIDb > using 
the TransPAT as follows. 

PAKAIDn u i i I AIDb > + PAT<AIDn u i i I AIDc > 

+ Enabler of AIDn u i i + Enabler of AIDc 

•> PAT<AIDc | AIDb> 


15 As a result of the above described operation (2)(b), 

the third person-C obtains PAT<AIDc I AIDb > so that 
accesses to the member-B become possible. 

For this reason, in this fifth embodiment, it is made 
impossible for the holder of PAT<AIDh o i <j e r I AIDm e m b e r > to 

20 prodUCe PAT<AIDlMull | AIDm e m b e r > from this PAT<AIDh older I 

AIDmember> as long as the holder does not know Enabler of 

AIDm ember . 

In the third embodiment described above, in order for 
the PAT holder to produce PAT<AIDn u i i I AIDm em be r> without 
25 using 1 Enabler of AIDm e m b e r , it is necessary to produce 

PAT<AIDh older I AIDN u 1 1 > . 

To this end, in this fifth embodiment, for the Null- 
AID described in the third embodiment, the following rule 
is added: 

30 * the Null-AID can be used only as the holder AID of 

the PAT (the Null-AID cannot be used as the member AID). 
That is, PAT<AIDnum I AIDm ember] , AIDm emberS , , 

AIDm e ro b e r N > is allowed , but PAT<AIDh older | AIDn u 1 1 , 
AIDm e m b e r 1 » AIDm e m b e r 2 , , AIDm emberN> IS not allowed . 

35 Each of the secure PAT processing devices and the 
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secure PAT certification authority is additionally equipped 
with a function for checking whether the Null-AID is 
contained as the member AID or not. This member AID 
checking processing Is carried out according to Fig. 32 as 
5 follows. 

(1) Null-AID and PAT are entered (step S6911) . 

(2) All the member AIDs are taken out from the PAT entered 
at the step S6911 (step S6913) . 

(3) Each of the taken out member AIDs is compared with the 
10 Null-AID entered at the step S6911 (step S6915) . 

If all the member AIDs do not completely match with 
the Null-AID (step S691T NO, step S6919 NO), the processing 
proceeds to the MergePAT, SplitPAT or TransPAT processing 
(Fig. 21 or Fig. 22) (step S6921) . 
15 If there is a member AID that completely matches with 

the Null-AID (step S6917 YES), the processing is 
terminated. 

Next, with reference to Fig. 33 to Fig. 39, the sixth 
20 embodiment of the email access control scheme according to 

the present invention will be described in detail. 
This sixth embodiment differs from the first 

embodiment described above in that a link information is 

added to the AID of Fig. 2 used in the first embodiment, as 
25 shown in a part (b) of Fig. 34, while a link information of 

the AID is set instead of the AID itself that is contained 

in the 1-to-l PAT of Fig. 2, as shown in a part (c) of Fig. 

34, such that the AID is uniquely identified by the link 

information. 

30 Note that such an AID to which the link information is 

added will be referred to as a link information attached 
AID, and a 1-to-l PAT having the link information of the 
AID will be referred to as a link specifying 1-to-l PAT. 
Also, the link information is an information capable of 

35 uniquely identifying the AID, which is given by a kind of 
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data generally known as identifier such as a serial number 
uniquely assigned to the AID by the CA for example. 

Fig. 33 shows an overall configuration of a 
communication system in this sixth embodiment. 

In Fig. 33, the CA (Certification Authority) 1 has a 
right to authenticate OIDs and a right to issue AIDs, and 
functions to allocate AIDs to users 3. 

The SCS (Secure Communication Service) 5 transfers 
emails among the users 3, carries out the receiving refusal 
and the identity judgement and the extraction of the OID 
according to the need. 

The ADS (Anonymous Directory Service) 7 is a database 
for managing the AID, the transfer control flag value, the 
validity period value, and the disclosed information of 
each user 3. The ADS 7 has a function to generate the PAT 
from the AID of a searcher and the AID of a registrant who 
satisfies the search conditions, and issue it to the 
searcher ♦ 

A series of processing from generating the AID from 
the OID according to a request from a user until allocating 
the AID to that user is basically the same as in the first 
embodiment, except that the link information is to be 
added, which will now be described with reference to Fig. 
34. 

Fig. 34 shows exemplary formats of the OID, the link 
information attached AID, and the link specifying 1-to-l 
PAT. As shown in a part (a) of Fig. 34, the OID is an 
information comprising an arbitrary character string 
according to a rule by which the CA 1 can uniquely identify 
the user and a public key, which is signed by the CA 1. 

Also, as shown in a part (b) of Fig. 34, the link 
information attached AID is an information comprising 
fragments of the OID and their position information, 
redundant character strings, an SCS information given by an 
arbitrary character string (host name, real domain name, 
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etc.) by which a host or a domain that is operating the SCS 
5 can be uniquely identified on the network, and the link 
information, which is signed by the CA 1. 

Also, as shown in a part (c) of Fig. 34, the link 
specifying* 1-to-l PAT is an information comprising the 
transfer control flag, the link information of AIDa , the 
link information of AIDi , and the validity period, which is 
signed by the ADS 7 using a secret key of the ADS 7. 

A procedure by which the user 3 requests the link 
information attached AID to the CA 1 is the same as that of 
the first embodiment. A procedure by which the CA 1 issues 
the link information attached AID to the user 3 in response 
to a request for the AID is also the same as that of the 
first embodiment. 

Next, the link information attached AID generation 
processing at the CA will be described with reference to 
Fig. 35. 

In the procedure of Fig. 35, the CA 1 generates an 
information of a length equal to the total length L of the 
OID, and sets this information as a tentative AID (step 
S7211). Then, in order to carry out the partial copying of 
the OID, values of parameters pi and Ai for specifying a 
copying region are determined using arbitrary means such as 
random number generation respectively (step S7213) . Here, L 
is equal to the total length'L of the OID, and fti is an 
arbitrarily defined value within a range in which a 
relationship of 0 < &\ < L holds. Then, an information in a 
range between a position pi to a position pi + %\ from the 
top of the OID is copied to the same positions in the 
tentative AID (step S7215). In other words, this OID 
fragment will be copies to a range between a position pi 
and a position pi + %\ from the top of the tentative AID. 
Then, the values of pi and are written into a prescribed 
range in the tentative AID into which the OID has been 
partially copied, in a form encrypted by an arbitrary means 
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(step S7217). Then, an SCS information given by an 
arbitrary character string: (host name, real domain, etc.) 
that can uniquely identify a host or a domain that is 
operating: the SCS 5 on the network is written into a 
prescribed range in the tentative AID into which these 
values are written (step S7219). Then, the link information 
is written (step S7220) . Then, the tentative AID into which 
the above character string and the link information are 
written is signed using a secret key of the CA 1 (step 
S7221) . 

Next, a procedure for registering the AID of a user-B 
3 and the disclosed information into the ADS 7 will be 
described. First, the bidirectional authentication by 
arbitrary means using the AID of the user-B 3 and the 
certificate of the ADS 7 is carried out between the user-B 
3 who is a registrant and the ADS 7. Then, the user-B 3 
transmits the transfer control flag value, the validity 
period value, and the disclosed information such as 
interests to the ADS 7. Then, the ADS 7 stores the transfer 
control flag value, the validity period value, and the 
entire disclosed information in relation to the AID of the 
user-B 3 in its storage device. Here, there can be cases 
where communications between the user-B 3 who is the 
registrant and the ADS 7 are to be encrypted. 

Next, a procedure by which a user-A 3 searches through 
the disclosed information that is registered in the ADS 7 
will be described. First, the bidirectional authentication 
by arbitrary means using the AID of the user-A 3 and the 
certificate of the ADS 7 is carried out between the user-A 
3 who is a searcher and the ADS 7. Then, the user-A 3 
transmits arbitrary search conditions to the ADS 7. Then, 
the ADS 7 presents all the received search conditions to 
its storage device, and extracts the AID of a registrant 
which satisfies these search conditions. Then, the ADS 7 
generates the link specifying 1-to-l PAT from the link 
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information of the AID of the user-A 3 and the link 
information of the AID of the registrant who satisfied the 
search conditions, the transfer control flag value, and the 
validity period value. Then, the ADS 7 transmits the 
generated PAT to the user-A 3. Here, there can be cases 
where communications between the user-A 3 who is a searcher 
and the ADS 7 are to be encrypted. Note that the link 
specifying 1-to-l PAT is generated as a search result of 
the ADS 7. 

Next, the link specifying 1-to-l PAT generation 
processing at the ADS 7 will be described with reference to 
Fig- 36. 

First, an information of a prescribed length is 
generated, and this information is set as a tentative PAT 
(step S7510). Then, the link- information of the AID of the 
user-A 3 who is a searcher and the link information of the 
AID of the user-B 3 who is a, registrant are copied into a 
prescribed region of the tentative PAT (step S7516). Then, 
the transfer control flag value and the validity period 
value are written into respective prescribed regions of the 
tentative PAT into which the link informations of the AIDs 
are copied (step S7517) . Then, the tentative PAT into which 
these values are written is signed using a secret key of 
the ADS 7 (step S7519) . 

Next, the transfer control using the link specifying 
1-to-l PAT will be described. The transfer control is a 
function for limiting accesses to a user who has a proper 
access right from a third person to whom the PAT has been 
transferred or who has eavesdropped the PAT (a user who 
originally does not have the access right). 

The ADS 7 and the user-B 3 of the registrant AID can 
prohibit a connection to the user-B 3 from a third person 
who does not have the access right, by setting a certain 
value in to the transfer control flag of the PAT. 

When the transfer control flag value is set to be 1, 
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the sender's AID is authenticated between the SCS 5 and the 
sender according to an arbitrary challenge/response 
process, so that even if the sender gives both the sender's 
AID and the PAT to another user other than the sender, that 
5 another user will not be able to make a connection to the 
registrant of the ADS 7 through the SCS 5. 

On the other hand, when the transfer control flag 
value is set to be 0, no challenge/response process will be 
carried out between the SCS 5 and the sender, so that if 
10 the sender gives both the sender's AID and the PAT to 

another user other than the sender, that another user will 
also be able to make a connection to the registrant of the 
ADS 7 through the SCS 5. 

Next, the email access control method at the SCS 5 
15 will be described with reference to Fig. 37. 

The sender specifies "[sender's AID]® [real domain of 
SCS of sender]" In From: line, and " [PAT] ©[real domain of 
SCS of sender]" in To: line. 

The SCS 5 acquires a mail received by an MTA (Message 
20 Transfer Agent) such as SMTP (Simple Mail Transfer 
Protocol) , and executes the processing of Fig. 37 as 
follows ♦ 

(1) The signature of the PAT is verified using a public 
key of the ADS 7 (step S7713) . 
25 When the PAT is found to have been altered (step S7715 

YES) , the mail is discarded and the processing is 
terminated (step S7716). 

When the PAT is found to have been not altered (step 
S7715 NO), the following processing (2) is executed. 
30 (2) The search is carried out by presenting the link 

information of the sender's AID to the PAT (steps S7717 , 
S7720, S7722). 

When a link information that completely matches with 
the link information of the sender's AID is not contained 
35 in the PAT (step S7723 NO), the mail is discarded and the 
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processing is terminated (step S7716). 

When a link information that completely matches with 
the link information of the sender's AID is contained in 
the PAT (step S7723 YES), the following processing (3) is 
executed. 

(3) The validity period value of the PAT is evaluated 
(steps S7725, S7727). 

When the PAT is outside the validity period (step 
S7727 NO) , the mail is discarded and the processing is 
terminated (step S7716). 

When the PAT is within the validity period (step S7727 
YES), the following processing (4) is executed, 

(4) Whether or not to authenticate the sender is 
determined by referring to the transfer control flag value 
of the PAT (steps S7731, S7733) . 

When the value is 1 (step S7733 YES), the SCS 5 
acquires the sender's AID itself and the public key of the 
sender's AID by presenting t&e link information to the CA 
1, and then the challenge/response authentication between 
the SCS 5 and the sender is carried out, and the signature 
of the sender is verified (step S7735) . When the signature 
is valid, the recipient is specified and the PAT is 
attached (step S7737) . When the signature is invalid, the 
mail is discarded and the processing is terminated (step 
S7716). 

When the value is 0 (step S7733 NO), the recipient is 
specified and the PAT is attached without executing the 
challenge/response authentication (step S7737) . 

The challenge/response authentication between the SCS 
5 and the sender is the same as that for the 1-to-l PAT 
described above. 

Next, a method for specifying the recipient at the SCS 
5 will be described. First, the SCS 5 carries out the 
search by presenting the link information of the sender's 
AID to the PAT, so as to acquire all the link informations 
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which do not completely match the link information of the 
sender's AID. Then, the search is carried out by presenting 
all these acquired link informations to the CA 1 so as to 
acquire the AlDs. All these acquired AIDs will be defined 
5 as recipient's AIDs hereafter. Then, for every recipient's 
AID, the real domain of SCS of recipient is taken out from 
the recipient's AID. Then, the recipient is specified in a 
format of "[recipient's AID] @ [real domain of SCS of 
recipient]". Finally, the SCS 5 changes the sender from a 

10 format of "[sender's AID]® [real domain of SCS of sender]" 
to a format of "sender's AID". 

The method for attaching the PAT at the SCS 5 is the 
same as that for the 1-to-l PAT described above. 

Next, a method of receiving refusal with respect to 

15 the PAT at the SCS 5 will be , described . 

Receiving refusal setting: The bidirectional 
authentication is carried out by an arbitrary means between 
the user and the SCS 5. Then, the user transmits a 
registration command, his/her own AID, and arbitrary PATs 

20 to the SCS 5. Then, the SCS 5 verifies the signature of the 
received AID, If the signature is invalid, the processing 
of the SCS 5 is terminated. If the signature is valid, the 
SCS 5 next verifies the signature of each received PAT 
using a public key of the ADS. Those PATs with the invalid 

25 signature are discarded by the SCS 5. When the signature is 
valid, the SCS 5 takes out the link information from the 
received AID, and then carries out the search by presenting 
the taken out link information to each PAT, For each of 
those PATs which contain the link information that 

30 completely matches with the link information of the 

received AID, the SCS 5 presents the registration command 
and the PAT to the storage device such that the PAT is 
registered into the storage device. Those PATs which do not 
contain the link information that completely matches with 

35 the link information of the received AID are discarded by 
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the SCS 5 without storing them into the storage device. 
Here, there can be cases where communications between the 
user and the SCS 5 are to be encrypted. 

Receiving refusal execution: The SCS 5 carries out the 
5 search by presenting the PAT to the storage device. When a 
PAT that completely matches the presented PAT is registered 
in the storage device, the mail is discarded. When a PAT 
that completely matches the present PAT is not registered 
in the storage device, the mail is not discarded. 

10 Receiving refusal cancellation: The bidirectional 

authentication is carried out by an arbitrary means between 
the user and the SCS 5. Then, the user presents his/her own 
AID to the SCS 5. Then, the SCS 5 verifies the signature of 
the received AID. If the signature is invalid, the 

15 processing of the SCS 5 is terminated. If the signature is 
valid, the SCS 5 next takes out the link information from 
the presented AID, and presents the taken out link 
information as a search condition to the storage device and 
acquire all the PATs that contain the presented link 

20 information, and then presents all the acquired PATs to the 
user. Then, the user selects all the PATs for which the 
receiving refusal is to be cancelled by referring to all 
the PATs presented from the SCS 5, and transmits all the 
selected PATs along with a deletion command to the SCS 5. 

25 Upon receiving the deletion command and all the PATs for 
which the receiving refusal is to be cancelled, the SCS 5 
presents the deletion command and all the PATs received 
from the user to the storage . device , such that all the 
received PATs are deleted from the storage device. 

30 Note that the method of receiving refusal with respect 

to the link specifying 1-to-N PAT at the SCS 5 is the same 
as the method of receiving refusal with respect to the link 
specifying 1-to-l PAT described above. 

Next, the judgement of identity will be described with 

35 reference to Fig. 38 and Fig. 39. 
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(1) An initial value of a variable OIDn is defined as a 
bit sequence with a length equal to the total length L of 
the OID and all values equal to "0". Also, an initial value 
of a variable OIDu is defined as a bit sequence with a 

5 length equal to the total length of the OID and all values 
equal to "0" (step S7911) . 

(2) One link information attached AID is selected from a 
set of processing target link information attached AIDs, 
and the following bit processing is carried out (step 

10 S7913). 

(a) Values of variables AIDri and AIDu are determined 
according to the position information contained in the link 
information attached AID (step S7915). Here, AIDn is 
defined as a bit sequence with a length equal to the total 

15 length L of the OID and a value of a position at which the 
OID information is defined is "1" while a value of a 
position at which the OID information is not defined Is "0" 
(see Fig. 39). Also, AIDu is defined as a bit sequence with 
a length equal to the total length L of the OID and a value 

20 of a position at which the OID information is defined is an 
actual value of the OID information while a value of a 
position at which the OID information is not defined is 0 
(see Fig. 39) . 

(b) AND processing of OIDu and AIDn is carried out and 
25 its result is substituted into a variable OVRn (step 

S7917) • 

(c) AND processing of OVRn and AIDn as well as AND 
processing of OVRn and OIDn are carried out and their 
results are compared (step S7919). When they coincide, OR 

30 processing of OIDn and AIDn is carried out and its result 
is substituted into OIDn (step S7921), while OR processing 
of OIDu and AIDu is also carried out and its result is 
substituted into OIDn (step S7923) . On the other hand, when 
they do not coincide, the processing proceeds to the step 

35 S7925. 
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(d) A link information attached AID to be processed 
next is selected from a set of processing' target link 
information attached AIDs. When at least one another link 
information attached AID is contained in the set, the steps 

5 S7913 to S7923 are executed for that another link 

information attached AID. When no other link information 
attached AID is contained in the set, the processing 
proceeds to the step S7927. 

(e) Values of OIDn and OIDu are outputted (step 
10 S7927) . 

The value of OIDn that is eventually obtained 
indicates all positions of the 0ID information that can be 
recovered from the set of processing target link 
information attached AIDs. Also, the value of OIDu that is 

15 eventually obtained indicates all the 0ID information that 
can be recovered from the set of processing target link 
information attached AID. In other words, by using the 
values of OIDn and OIDu , it is possible to obtain the 0ID 
albeit probabilistically when the value of OIDu is used as 

20 a search condition, and it is possible to quantitatively 

evaluate a precision of the above search by a ratio OIDti /L 
with respect to the total length L of the 0ID. 

As described above, in this sixth embodiment, the CA 1 
which is a Trusted Third Party with high secrecy and 

25 credibility generates the link information attached AID in 
which the personal information is concealed, from the 0ID 
that contains the highly secret personal information such 
as name, telephone number, real email address, etc., 
according to a user request, and issues the AID to the 

30 user. By identifying the user by this AID on the 

communication network as well as in various services 
provided on the communication network, it becomes possible 
to provide both the anonymity guarantee and the identity 
guarantee for the user. In other words, it becomes possible 

35 for the user to communicate with another user without 
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revealing the own real name, telephone number, email 
address, etc., to that another user, and it also becomes 
possible to disclose the disclosed information to 
unspecified many through the ADS 7 as will be described 
5 below. 

The user registers the disclosed information, that is 
an information which is supposed to have a low secrecy 
compared with the personal information at the ADS 7. In the 
case of searching the disclosed information and the 

10 registrant AID, the searcher presents the link information 
attached AID of the searcher and arbitrary search 
conditions to the ADS 7. The ADS 7 then extracts the 
registrant link information attached AID that satisfies 
these search conditions, and^generates the link specifying 

15 1-to-l PAT from the link information of the AID of the 
searcher and the link information of the AID of the 
registrant who satisfied the search conditions, the 
transfer control flag value, and the validity period value. 
In this link specifying 1-to-l PAT, the transfer 

20 control flag value and the validity period value are set as 
shown a part (c) of Fig. 34, and by setting up this 
validity period in advance, it is possible to limit 
connections from the sender. 

It is also possible to prohibit connections from a 

25 third person who does not have the access right, by using 
the transfer control flag value. Namely, when the transfer 
control flag value is set to be 1, the sender's AID is 
authenticated between the SCS 5 and the sender according to 
an arbitrary challenge/response process, so that even if 

30 the sender gives both the sender's AID and the PAT to 

another user other than the sender, that another user will 
not be able to make a connection to the registrant of the 
ADS 7 through the SCS 5. On the other hand, when the 
transfer control flag value is set to be 0, no 

35 challenge/response process will be carried out between the 
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SCS 5 and the sender, so that if the sender gives both the 
sender's AID and the PAT to another user other than the 
sender, that another user will also be able to make a 
connection to the registrant of the ADS 7 through the SCS 
5. 

It is also possible to make a connection request to 
the communication network such that a call for which the 
recipient is specified by the link specifying 1-to-l PAT 
will be received by the recipient's AID or the sender's AID 
specified by the link information of the link specifying 1- 
to-1 PAT, In addition, it isalso possible to refuse 
receiving calls with the link specifying 1-to-l PAT 
selected by the recipient among calls which are specified 
by the link specifying 1-to-l PAT, It is also possible to 
cancel the receiving refusal of the calls with the link 
specifying 1-to-l PAT selected by the recipient. In 
addition, as a measure against the sender who repeats the 
personal attack using a plurality of sender's AIDs by 
taking an advantage of the anonymity, it is possible to 
judge the identity of the OID from these plurality of 
sender's AIDs and it is possible to extract that OID at 
some probability. 

Next, with references to Fig. 40 to Fig. 49, the 
seventh embodiment of the email access control scheme 
according to the present invention will be described in 
detail . 

In contrast to the sixth embodiment described above 
which is directed to the case where a sender and a 
recipient are set in 1-to-l correspondence, this seventh 
embodiment is directed to the case where a sender and 
recipients are set in 1-to-N correspondence and a 
generation of a new link specifying 1-to-N PAT and a 
content change of the existing link specifying 1-to-N PAT 
can be made by the initiative of a user, similarly as in 


the second embodiment described above. Here, the sender is 
either a holder of the PAT or a member of the PAT. 
Similarly, the recipient is either a holder of the PAT or a 
member of the PAT. 
5 As described in the second embodiment, in general, a 

membership of a group communication (mailing list, etc.) is 
changing dynamically so that it is necessary for a host of 
the group communication to manage information on a point of 
contact such as telephone number, email address, etc., of 

10 each member. In contrast, in the case where it is possible 
to newly generate a 1-to-l PAT as in the sixth embodiment, 
the management of a point of contact is difficult. For 
example, it is difficult to manage the group collectively, 
and even if it is given to the others for the purpose of 

15 the transfer control, it does not function as an address of 
the group communication such; as mailing list. 

In this seventh embodiment, in order to resolve such a 
problem, it is made possible to carry out a generation of a 
new link specifying 1-to-N PAT and a content change or the 

20 existing link specifying 1-to-N PAT by the initiative of a 
user. 

First, the definition of various identifications used 
in this seventh embodiment will be described with 
references to Fig. 40 and Fig. 41. 

25 As shown in a part (a) of Fig. 40, the 0ID is an 

information comprising an arbitrary character string 
(telephone number, email address, etc.) according to a rule 
by which the CA 1 can uniquely identify the user and a 
public key, which is signed by the CA 1. 

30 Also, as shown in a part (b) of Fig. 40, the link 

information attached AID is an information comprising 
fragments of the 0ID and their position information, 
redundant character strings, an SCS information given by an 
arbitrary character string (host name, real domain name, 

35 etc.) by which a host or a domain that is operating the SCS 
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5 can be uniquely identified on the network, and a link 
information, which is signed by the CA 1. Note that the AID 
may be encrypted at the SCS 5 or the CA 1. The link 
information is the same as in the sixth embodiment. 
5 Also, as shown in a part (c) of Fig. 40, the link 

specifying 1-to-N PAT is an information . comprising: two or 
more link informations of AIDs, a holder index, the 
validity period, the transfer control flag, and a PAT 
. processing device identifier, which is signed using a 

10 secret key of the PAT processing device. 

Here, one of the link informations of AIDs is the link 
information of the holder AID of this PAT, where the change 
of the information contained in the PAT such as an addition 
of the link information of AID to the PAT, a deletion of 

15 the link information of AID from the PAT, a change of the 
validity period in the PAT, a change of the transfer 
control flag value in the PAT, etc., can be made by 
presenting the link information of the holder AID and a 
corresponding Enabler to the PAT processing device. 

20 On the other hand, the link informations of AIDs other 

than the link information of ^ the holder AID that are 
contained in the PAT are all link information of member 
AIDs, where a change of the information contained in the 
PAT cannot be made even when the link information of the 

25 member AID and a corresponding Enabler are presented to the 
PAT processing device. 

The holder index is a numerical data for identifying 
the link information of the holder AID, which is defined to 
take a value 1 when the link information of the holder AID 

30 is a top link information of AID in the link specifying AID 
list formed from the link information of the holder AID and 
the link informations of the member AIDs, a value 2 when 
the link information of the holder AID is a second link 
information of AID from the top of the link specifying AID 

35 list, or a value n when the link information of the holder 
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AID is an n-th link information of AID from the top of the 
link specifying AID list. 

The transfer control flag value is defined to take 
either 0 or 1 similarly as in the case of the link 
5 specifying: 1-to-l PAT. 

The link information of the holder AID is defined to 
be a link information of AID which is written at a position 
of the holder index value in the link specifying AID list. 
The link informations of the member AIDs are defined to be 

10 all the link informations of AIDs other than the link 
information of the holder AID . 

The validity period is defined by any one or 
combination of the number of times for which the PAT is 
available, the absolute time (UTC) by which the PAT becomes 

15 unavailable, the absolute time (UTC) by which the PAT 

becomes available, and the relative time (lifetime) since 
the PAT becomes available until it becomes unavailable. 

The identifier of a PAT processing device (or a PAT 
processing object on the network) is defined as a serial 

20 number of the PAT processing device (or an distinguished 
name of the PAT processing object on the network). The 
secret key of the PAT processing device (or the PAT 
processing object on the network) is defined to be uniquely 
corresponding to the identifier. 

25 Also, in this second embodiment, an Enabler is 

introduced as an identifier corresponding to the AID. As 
shown in Fig. 41, the Enabler is an information comprising 
a character string uniquely indicating that it is an 
Enabler and a link information attached AID itself, which 

30 is signed by the CA 1. 

Next, the operations for a generation of a new PAT and 
a content change of the existing PAT will be described. 
Here, the following operations are defined at a secure PAT 
processing device on the communication terminal or a PAT 

35 processing object on the CA or on a network which is 
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properly requested from the CA (which will also be referred 
to as a PAT processing device hereafter). These operations 
are similar to those of the second embodiment described 
above so that they will be described by referring to Fig. 
5 10 to Fig. 13 but it is assumed that each occurrence of AID 
in Fig. 10 to Fig. 13 should be replaced by the link 
information of AID in the following. 

1. Editing of link specifying AID list: 

A link specifying AID list, which is a list of link 
10 informations of AIDs contained in the PAT, is edited using 
link information attached AIDs and Enabler. Else, the link 
specifying AID list is newly generated. 

2. Setting of the validity period and the transfer 
control flag: 

15 The validity period value and the transfer control 

flag value contained in the PAT are changed using a link 
information attached AID and Enabler. Also, a new validity 
period value and a new transfer control flag value are set 
in the newly generated link specifying AID list. 

20 A user who presented the holder AID and the Enabler 

corresponding to this holder, AID to the PAT processing 
device can edit the list of link informations of AIDs 
contained in the PAT. In this case, the following 
processing rules are used. 

25 (1) Generating a new PAT (MakePAT) (see Fig. 10): 

The link specifying AID list (LALIST<( link) holder AID 

I (link)member AIDi , (link)member AID2 , , (link)member 

AIDn>) where (link)AIDx denotes the link information of 
AIDx is newly generated, and the validity period value and 

30 the transfer control flag value are set with respect to the 
generated LALIST. 
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(link) AIDa + (link)AIDB + Enabler of AIDb 


+ Enabler of AIDa 

5 

LALIST< ( link ) AIDa I ( link) AIDb > 
LALIST< (link ) AIDa I (link)AIDe> + Enabler of AIDa 
10 + validity period value 

+ transfer control flag value 
-> PAT<( link) AIDa I (link)AIDB> 

15 

(2) Merging PATs (MergePAT) - ( see Fig. 11): 

A plurality of LALISTs of the same holder AID are 
merged and the validity period value and the transfer 
control flag value are set with respect to the merged 
20 LALIST. 


25 


30 


35 
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LALIST< ( link) AIDa I (link)AIDei, (link)AIDB2, > 


+ LALIST< ( link) AIDa I (link)AIDci, (link)AIDc2, > 

5 

+ Enabler of AIDa 

LALIST<( link) AIDa I (link)AIDsi, (link)AID B 2, , 

10 (link)AIDci , (link)AIDc2, > 

LALIST<( link) AIDa I (link)AIDBi , (link)AID B 2 , , 

(link)AIDci , (link)AIDc2, > 

15 

+ Enabler of AIDa + validity period value 

+ transfer control flag value 

20 ^ PAT<( link) AIDa I (link)AIDei, (link)AIDB2, , 

(link)AIDci , (link)AIDc2, > 

(3) Splitting a PAT (SplitPAT) (see Fig. 12): 
25 The LALIST is split into a plurality of LALISTs of the 

same holder AID, and the respective validity period value 
and transfer control flag value are set with respect to 
each one of the split LALISTs. 

30 


35 
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LALIST< ( link) AIDfi I (link)AIDBi , (llnk)AIDB 2 , , 
(link)AIDci , (link)AIDc2 , > 

5 

+ Enabler of AIDa 

-» LALIST< ( 1 ink ) AIDa | (link)AIDBi, (link)AIDB2, > 

10 + LALIST< (link) AIDa I (link)AIDci, (link)AIDca, > 

LALIST< ( link) AIDa | (link)AIDci, (link) AIDc 2 , > 
+ Enabler of AIDa + validity period value 

15 

+ transfer control flag value 

PAT<( link) AIDa I (link)AIDci, (link)AIDce, > 

20 (4) Changing a holder of a PAT (TransPAT) (see Fig. 13): 
The holder AID of the LALIST is changed, and the 
validity period value and the transfer control flag value 
are set with respect to the changed LALIST. 

25 


30 


35 
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LALIST< ( link) AIDa I (link) AIDb > 


+ LALIST< ( link) AIDa | (link)AIDci, (link)AIDc2, ■ > 

5 

+ Enabler of AIDa + Enabler of AIDb 

* LALIST<( link) AIDb I (link)AIDci, (link)AIDc2, > 

10 LALIST<( link) AIDb I (link)AIDci, (link)AIDca, > 

+ Enabler of AIDb + validity period value 

+ transfer control flag: value 

15 

-> PAT<( link) AIDb I (link)AIDci, (link)AIDc2, > 

In the operation for setting* the validity period 
value, in order to permit the setting of the validity 
20 period value only to a user who holds both the holder AID 
and the corresponding Enabler, the following operation is 
defined. 

PAT<( link) AIDa I (link)AIDs> + Enabler of AIDa 

25 

+ validity period value 

PAT<( link) AIDa I ( 1 ink) AIDb > 

30 In the operation for setting the transfer control flag 

value, in order to permit the setting of the transfer 
control flag value only to a user who holds both the holder 
AID and the corresponding Enabler, the following operation 
is defined. 

35 
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PAT< ( 1 ink ) AIDa I (link)AID B > + Enabler of AIDa 

+ transfer control flag value 

5 ■* PAT< ( link ) AIDa | (link)AIDe> 

Next, with references to Fig:. 42 to Fig. 48, the 
overall system configuration of this seventh embodiment 
will be described. In Fig. 42 to Fig. 48, the user-A who 

10 has AIDa allocated from the CA stores AIDa and Enabler of 
AIDa in a computer of the user-A, and the input/output 
devices such as floppy disk drive, CD-ROM drive, 
communication board, microphone, speaker, etc., are 
connected. Else, AIDa and Enabler of AIDa are stored in a 

15 communication terminal (telephone, cellular phone, etc.) 
which has a storage device and a data input/output 
function. 

Similarly, the user-B who has AIDb allocated from the 
CA stores AIDb and Enabler of AIDb in a computer of the 
20 user-B, and the input/output devices such as floppy disk 
drive, CD-ROM drive, communication board, microphone, 
speaker, etc., ai;e connected. Else, AIDb and Enabler of 
AIDb are stored in a communication terminal (telephone, 
cellular phone, etc.) which has a storage device and a data 
25 input/output function. 

In the following, a procedure by which the user-A 
generates PAT< ( link) AIDa I (link)AIDs> will be described. 

(1) The user-A acquires AIDb and Enabler of AIDb using any 
of the following means. 
30 * AIDb and Enabler of AIDb are registered at the ADS 

7, and it is waited until the user-A acquires them as a 
search result (Fig. 42). 

* AIDb and Enabler of AIDb are directly transmitted to 
the user-A by the email, signaling, etc. (Figs. 43, 44). 
35 * AIDb and Enabler of AIDb are stored in a magnetic, 


-106- 


optic, or electronic medium such as floppy disk, CD-ROM, 
MO, IC card, etc., and this medium is given to the user-A. 
Else, it is waited until the user acquires them by reading 
this medium (Figs. 45, 46), 

* AlDe and Enabler of AIDb are printed on a paper 
medium such as book, name card, etc., and this medium is 
given to the user-A. Else, it is waited until the user-A 
acquire them by reading this medium (Figs. 47, 48). 

(2) The user-A who has acquired AIDb and Enabler of AIDb 
by any of the means described in the above (1) issues the 
MakePAT command to the PAT processing device. This 
procedure is common to Fig. 42 to Fig. 48, and defined as 
follows . 

(a) The user A requests the issuance of the MakePAT 
command by setting AIDa , Enabler of AIDa , AIDb , Enabler of 
AIDb , the validity period value, and the transfer control 
flag value into the communication terminal of the user-A. 

(b) The communication terminal of the user-A generates 
the MakePAT command. 

(c) The communication terminal of the user-A transmits 
the generated MakePAT command to the PAT processing device 
by means such as the email, signaling, etc. (the issuance 
of the MakePAT command) . 

(d) The PAT processing device generates PAT<( link) AIDa 
I (link)AIDB> by processing the received MakePAT command 
according to Fig. 21 and Fig. 49. More specifically, this 
is done as follows. 
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(llnk)AIDA + (link)AIDe 


+ Enabler of AID? + Enabler of AIDa 

5 

* LALIST<( link) AIDa | (link)AIDB> 

LALIST<( link) AIDa I (link)AIDe> + Enabler of AIDa 
10 + validity period value + transfer control flag value 

* PAT<( link) AIDa I (link)AID B > 

(e) The PAT processing device transmits the generated 
15 PAT<( link) AIDa I (link) AIDb >. to the communication terminal 

of the user-A, or to the communication terminal of the 
user-B according 1 to the need, by means such as the email, 
signaling, etc. 

(f ) The communication terminal of the user-A (or the 
20 user-B) stores the received PAT<( link) AIDa I (link)AIDB> in 

the storage device of the communication terminal of the 
user-A. 

The merging of PATs (MergePAT, Fig. 21, Fig. 49), the 
splitting of a PAT (SplitPAT, Fig. 22, Fig. 49), and the 

25 changing of a holder of a PAT (TransPAT, Fig. 21, Fig. 49) 
are also carried out by the similar procedure. 

The procedure of MakePAT, MergePAT and TransPAT is 
similar to that described above with reference to Fig. 21, 
except that the AID should be replaced by the link 

30 information of the AID and the AID list should be replaced 
by the link specifying AID list. Also, the procedure of 
SplitPAT is similar to that described above with reference 
to Fig. 22, except that the AID should be replaced by the 
link information of the AID and the AID list should be 

35 replaced by the link specifying AID list. 
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Here, in the procedures of Fig. 21 and Fig-. 22, the 
link specifying AID list generation is carried out 
according to Fig. 49 as follows. Namely, a buffer length is 
determined first (step S9011) and a buffer is generated 
5 (step S9012). Then, the link information of the holder AID 
is copied to a vacant region of the generated buffer (step 

59017) . Then, the link information of the member AID is 
copied to a vacant region of the resulting buffer (step 

59018) , and if the next member AID exists (step S9015 YES), 
10 the step S9018 is repeated. 

Next, the determination of the link information of the 
holder AID will be described, Each of the MakePAT, the 
MergePAT, the SplitPAT, and the TransPAT commands is 
defined to have two or more arguments, where AID, PAT, or 

15 Enabler can be specified as an argument. In this case, the 
PAT processing device specifies the link information of the 
holder AID of the PAT to be outputted after executing each 
command according to the following rules. 
* Case of the MakePAT: 

20 For the MakePAT command, it is defined that AIDs are 

to be specified for the first argument to the N-th 

argument (N =2, 3, ) and Enablers are to be specified 

for the N+l-th and subsequent arguments. For example, they 
can be specified as follows. 

25 

MakePAT AIDi , AID2 , , AIDn , Enabler of AIDi , 

Enabler of AID2 , , Enabler of AIDn 

30 The PAT processing device interprets the link 

information of AID of the first argument of the MakePAT 
command as the link information the holder AID. 

Only when one of the Enablers of the N+l-th and 
subsequent arguments corresponds to the AID of the first 

35 argument, the PAT processing' device specifies the link 
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information of this AID (that is the link information of 
the AID of the first argument) as the link information of 
the holder AID of the PAT to be outputted after executing 
the MakePAT command. 
5 * Case of the MergePAT: 

For the MergePAT command, it is defined that PATs are 
to be specified for the first argument to the N-th 

argument (N = 2, 3, ) and Enabler is to be specified for 

the N+l-th argument* Namely, they can be specified as 
10 follows. 

MergePAT PATi PATs PATn Enabler of AID 

The PAT processing device interprets the link 
15 information of the holder AID of the PAT of the first 

argument of the MergePAT command as the link information of 
the holder AID of the PAT to^be outputted after executing 
the MergePAT command. 

Only when the Enabler of the N+l-th argument 
20 corresponds to the holder AID of the PAT of the first 
argument, the PAT processing device specifies the link 
information of this AID (that is the link information of 
the holder AID of the PAT of the first argument) as the 
link information of the holder AID of the PAT to be 
25 outputted after executing the MergePAT command. 
* Case of the SplitPAT: 

For the SplitPAT command, it is defined that PAT is to 
be specified for the first argument, a set of one or more 
AIDs grouped together by some prescribed symbols (assumed 
30 to be parentheses () in this example) are to be specified 
for the second argument to the N-th argument (N « 3, 4, 

) , and Enabler is to be specified for the N+l-th 

argument. Namely, they can be specified as follows. 

35 
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SplitPAT PATi (AIDi i ) (AID2 1 AID2 2 ) 


(AIDni AIDn£ AIDn n ) Enabler of AID 

The PAT processing device interprets the link 
information of the holder AID of the PAT of the first 
argument of the SplitPAT command as the link information of 
the holder AID of the PAT to be outputted after executing 
the SplitPAT command. 

Only when the Enabler of the N+l-th argument 
corresponds to the holder AID of the PAT of the first 
argument, the PAT processing device specifies the link 
information of this AID (that is the link information of 
the holder AID of the PAT of the first argument) as the 
link information of the holder AID of the PAT to be 
outputted after executing the SplitPAT command. 

* Case of the TransPAT: 

For the TransPAT command, it is defined that PATs are 
to be specified for the first argument and the second 
argument, an AID is to be specified for the third argument, 
and Enablers are to be specified for the fourth argument 
and the fifth argument. Namely, they can be specified as 
follows . 

TransPAT PATi PAT2 AID Enabler of AIDi Enabler of AID2 

The PAT processing device interprets the link 
information of AID of the third argument as the link 
information of the holder AID of the PAT to be outputted 
after executing the TransPAT command provided that the link 
information of AID of the third argument of the TransPAT 
command is contained in the PAT of the second argument. 

Only when the Enabler of the fourth argument 
corresponds to both the PAT of the first argument and the 
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PAT of the second argument and the Enabler of the fifth 
argument corresponds to the AID of the third argument, the 
PAT processing 1 device specifies the link information of the 
AID of the third argument as the link information of the 
5 holder AID of the PAT to be outputted after executing the 
TransPAT command. 

Next, the determination of the link informations of 
the member AIDs will be described. The definitions of the 
MakePAT, the MergePAT, the SplitPAT, and the TransPAT 
10 commands are as described above. The PAT processing device 
specifies the link informations of the member AIDs of the 
PAT to be outputted after executing each command according 
to the following rules. 

* Case of the MakePAT: 

15 Only when the link Information of the holder AID of 

the PAT to be outputted after executing the MakePAT command 
is formally determined, the PAT processing device 
interprets all the link informations of the AIDs of the 
second and subsequent arguments of the MakePAT command as 

20 the link informations of the member AIDs of the PAT to be 
outputted after executing the MakePAT command. 

The PAT processing device specifies only the link 
informations of those AIDs among all the AIDs of the second 
and subsequent arguments which correspond to the Enablers 

25 specified by the N+l-th and subsequent arguments as the 
link informations of the member AIDs of the PAT to be 
outputted after executing the MakePAT command. 

* Case of the MergePAT: 

Only when the link information of the holder AID of 
30 the PAT to be outputted after executing the MergePAT 

command is formally determined, the PAT processing device 
specifies the link informations of the member AIDs of all 
the PATs specified by the first to N-th arguments of the 
MergePAT as the link informations of the member AIDs of the 
35 PAT to be outputted after executing the MergePAT command. 
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* Case of the SplitPAT: 

Only when the link Information of the holder AID of 
the PAT to be outputted after executing: the SplitPAT 
command is formally determined, the PAT processing device 
5 specifies the link information of the member AID of the PAT 
specified by the first argument of the SplitPAT command as 
the link information of the member AID of the PAT to be 
outputted after executing the SplitPAT command. At this 
point, the link informations of the member AIDs are 
10 distributed into different PATs in units of parentheses (). 
For example, in the case of: 5 - 

SplitPAT PAT (AIDn ) (AID2 1 AID2 2 ) 

15 (AIDni AIDns AIDnm) Enabler of AID 

the link informations of (AIDi 1 ) , (AIDs 1 AID2 2 ) and (AIDni 

AIDn 2 AIDnm) will be the link informations of the 

member AIDs of different PATs having a common link 
20 information of holder AID. 

* Case of TransPAT: 

Only when the link information of the holder AID of 
the PAT to be outputted after executing the TransPAT 
command is formally determined, the PAT processing device 

25 specifies all the link informations of the member AIDs 
remaining after excluding the link information of the 
member AID that is scheduled- to be a new holder AID from 
all the link informations of the member AIDs of the PAT 
specified by the first argument of the TransPAT command and 

30 the link informations of the member AIDs of the PAT 

specified by the second argument as the link informations 
of the member AIDs of the PAT to be outputted after 
executing the TransPAT command. 

The verification of the properness of the Enabler in 

35 this seventh embodiment is the same as described above with 
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reference to Fig. 24. Also, this verification of the 
properness of the Enabler is common to the MakePAT, the 
MergePAT, the SplitPAT and the TransPAT. 


5 Next, the eighth embodiment of the email access 

control scheme according to the present invention will be 
described in detail. 

In this eighth embodiment, the OID is given by a real 
email address. 

10 The PAT is an information comprising two or more real 

email addresses, the holder index, the validity period, the 
transfer control flag and the PAT processing device 
identifier (or the identifier of the PAT processing object 
on the network) , which is signed using a secret key of the 

15 PAT processing device (or the PAT processing object on the 
network) . 

Here, one of the real email addresses is a holder 
email address of this PAT, where the change of the 
information contained in the PAT such as an addition of 

20 email address to the PAT, a deletion of email address from 
the PAT, a change of the validity period in the PAT, a 
change of the transfer control flag value in the PAT, etc., 
can be made by presenting the holder email address and an 
Enabler containing the holder email address to the PAT 

25 processing device (or the PAT processing object on the 
network) . 

On the other hand, the email addresses other than the 
holder email address that are contained in the PAT are all 
member email addresses, where a change of the information 
30 contained in the PAT cannot be made even when the member 
email address and an Enabler containing the member email 
address are presented to the PAT processing device (or the 
PAT processing object on the network) . 

The holder index is a numerical data for identifying 
35 the holder email address, which is defined to take a value 
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1 when the holder email address is a top email address in 
the email address list formed from the holder email address 
and the member email addresses, a value 2 when the holder 
email address is a second email address from the top of the 
5 email address list, or a value n when the holder email 

address is an n-th email address from the top of the email 
address list . 

The transfer control flag value is defined to take 
either 0 or 1 . 

10 The holder email address is defined to be a real email 

address which is written at a position specified by the 
holder index in the email address list. The member email 
addresses are defined to be all the email addresses other 
than the holder email address. 

15 The validity period is defined by any one or 

combination of the number of times for which the PAT is 
available, the absolute time (UTC) by which the PAT becomes 
unavailable, the absolute time (UTC) by which the PAT 
becomes available, and the relative time (lifetime) since 

20 the PAT becomes available until it becomes unavailable. 

The identifier of the PAT processing device (or the 
PAT processing object on the r network) is defined as a 
serial number of the PAT processing device (or an 
distinguished name of the PAT processing object on the 

25 network) . The secret key of the PAT processing device (or 
the PAT processing object on the network) is defined to be 
uniquely corresponding to the identifier. 

Also, in this eighth embodiment, an Enabler is defined 
as an identifier corresponding to the real email address. 

30 The Enabler is an information comprising a character string 
uniquely indicating that it is an Enabler and a real email 
address itself, which is signed using the secret key of the 
PAT processing device or the PAT processing object on the 
network. 

35 The generation of the PAT in this eighth embodiment is 
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carried out as follows. 

Here, a directory will be described as an example of 
the PAT processing object on the network. The directory 
manages the real email address and the disclosed 
5 information of the user in correspondence, and outputs the 
PAT upon receiving the search conditions presented from an 
arbitrary user. 

The user transmits the real email address and the 
search conditions to the directory. Then, the directory 
10 acquires all the real email addresses which uniquely 
correspond to the disclosed information that satisfies 
these search conditions. Then, the directory generates a 
real email address list from the real email address of the 
user who presented the search conditions and all the real 
15 email addresses acquired as a search result. Then, the 
directory appends the holder index value, the validity 
period value, the transfer control flag value, and the 
distinguished name of the directory to the real email 
address list. Finally, the directory signs the resulting 
20 data using a secret key of the directory, and transmits it 
as the PAT to the user who presented the search conditions. 

Next, the email access control in this eighth 
embodiment is carried out as follows. 

The sender specifies the real email address of the 
25 sender in From: line, and " [PAT]@[real domain of sender]" 
in To: line of a mail. 

The SCS acquires an email received by an MTA (Message 
Transfer Agent) such as SMTP (Simple Mail Transfer 
Protocol), and carries out the authentication by the 
30 following procedure. 

(1) The signature of the PAT is verified using the public 
key of the PAT. 

When the PAT is found to have been altered, the email 
is discarded and the processing is terminated. 
35 When the PAT is found to have been not altered, the 
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following processing (2) is executed. 

(2) The search is carried out by presenting the sender's 
real email address to the PAT. 

When a real email address that completely matches with 
the sender's real email address is not contained in the 
PAT, the email is discarded and the processing is 
terminated. 

When a real email address that completely matches with 
the sender's real email address is contained in the PAT, 
the following processing (3). is executed. 

(3) The validity period value of the PAT is evaluated. 
When the PAT is outside the validity period, the email 

is discarded and the processing is terminated. 

When the PAT is within the validity period, the 
following processing (4) is executed. 

(4) Whether or not to authenticate the sender is 
determined by referring to the transfer control flag value 
of the PAT. 

When the value is 1, the challenge/response 
authentication between the SCS and the sender is carried 
out, and the signature of the sender is verified. When the 
signature is valid, the recipient is specified and the PAT 
is attached. When the signature is invalid, the email is 
discarded and the processing is terminated. 

When the value is 0, the recipient is specified and 
the PAT is attached without executing the 
challenge/response authentication . 

An exemplary challenge/response authentication between 
the SCS and the sender in this eight embodiment can be 
carried out as follows. 

First, the SCS generates an arbitrary information such 
as a timestamp, for example, and transmits the generated 
information to the sender. 

Then, the sender generates the secret key and the 
public key, signs the received information using the secret 
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key, and transmits it along with the public key. 

The SCS then verifies the signature of the received 
information using the public key presented from the sender. 
When the signature is valid, the recipient is specified and 
5 the PAT is attached. When the signature is invalid, the 
email is discarded and the processing is terminated. 

The specifying of the recipient and the attaching of 
the PAT at the SCS in this eighth embodiment can be carried 
out as follows. 

10 First, the SCS carries out the search by presenting 

the sender's real email address to the PAT, so as to 
acquire all the real email addresses which do not 
completely match the sender's real email address. Then, all 
these acquired real email addresses are specified as 

15 recipient's real email addresses. 

Next, the SCS attaches the PAT to an arbitrary 
position in the email in order to transmit the PAT to all 
the recipient's email addresses so as to be able to realize 
the bidirectional communications. Finally, the SCS gives 

20 the email to the MTA. 

The receiving refusal with respect to the PAT at the 
SCS in this eighth embodiment can be carried out as 
follows . 

Receiving refusal setting: The bidirectional 
25 authentication is carried out by an arbitrary means between 
the user and the SCS 5. Then, the user transmits a 
registration command, his/her own real email address, and 
arbitrary PATs to the SCS 5. Then, the SCS 5 next verifies 
the signature of each received PAT using a public key of 
30 the ADS. Those PATs with the invalid signature are 

discarded by the SCS 5. When the signature is valid, the 
SCS 5 carries out the search by presenting the received 
real email address to each PAT. For each of those PATs 
which contain the real email address that completely 
35 matches with the received real email address, the SCS 5 
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presents the registration command and the PAT to the 
storage device such that the PAT is registered into the 
storage device. Those PATs which do not contain the real 
email address that completely matches with the received 
5 real email address are discarded by the SCS 5 without 
storing them into the storage device. 

Receiving refusal execution: The SCS 5 carries out the 
search by presenting the PAT to the storage device. When a 
PAT that completely matches the presented PAT is registered 

10 in the storage device, the mail is discarded. When a PAT 
that completely matches the present PAT is not registered 
in the storage device, the mail is not discarded. 

Receiving refusal cancellation: The bidirectional 
authentication is carried out by an arbitrary means between 

15 the user and the SCS 5. Then, the user presents his/her own 
real email address to the SCS 5. Then, the SCS 5 next 
presents the presented real email address as a search 
condition to the storage device and acquire all the PATs 
that contain the presented real email address, and then 

20 presents all the acquired PATs to the user. Then, the user 
selects all the PATs for which the receiving refusal is to 
be cancelled by referring to all the PATs presented from 
the SCS 5, and transmits all the selected PATs along with a 
deletion command to the SCS 5. Upon receiving the deletion 

25 command and all the PATs for which the receiving refusal is 
to be cancelled, the SCS 5 presents the deletion command 
and all the PATs received from the user to the storage 
device, such that all the received PATs are deleted from 
the storage device. 

30 The editing of the PAT in this eighth embodiment can 

be carried out as follows. 

The MakePAT, the MergePAT, the SplitPAT, and the 
TransPAT processings for the PAT using real email addresses 
as its elements can be obtained from the the MakePAT, the 

35 MergePAT, the SplitPAT, and the TransPAT processings for 
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the PAT using- AIDs as its elements described above, by- 
replacing the AID by the real email address and the Enabler 
of AID by the Enabler of real email address. 

A Null operator is an information comprising a data 
5 which is uniquely indicating that it is Null and, which has 
a format of the real email address, which is signed by the 
secret key of the PAT processing device or the PAT 
processing object on the network. 

Similarly, the God operator is an information 

10 comprising a data which is uniquely indicating that it is 
God and which has a format of the real email address, which 
is signed by the secret key of the PAT processing device or 
the PAT processing object on the network. 

The Enabler of Null operator is an information 

15 comprising a data which is uniquely indicating that it is 
Enabler and the Null operator itself, which is signed by 
the secret key of the PAT processing device or the PAT 
processing object on the network. 

The processings involving the Null operator and the 

20 God operator can be obtained from the processings for the 
PAT using AIDs as its elements described above, by 
replacing the AID by the real email address, the Enabler of 
AID by the Enabler of real email address, the Null-AID by 
the Null operator, the God-AID by the God operator, and the 

25 Enabler of Null-AID by the Enabler of Null operator. 

As described, according to the present Invention, a 
PAT is used for verifying the access right of a sender and 
the email access control among users is carried out when 

30 the verification result is valid, so that it becomes 
possible to disclose the information indicative of 
characteristics of a user while concealing the true 
identification of a user and carrying out communications 
appropriately according to this disclosed information while 

35 preventing conventionally possible attacks from a third 
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person. In addition, even when a recipient receives an 
attack from a sender who maliciously utilizes the 
anonymity, damages of a recipient due to that attack can be 
minimized . 

5 Also, according to the present invention, the 

generation and the content change of the personalized 
access ticket can be made by the initiative of a user by 
using an AID assigned to each user and an Enabler defined 
in correspondence to the AID, so that it becomes possible 

10 to appropriately manage information such as that of a point 
of contact of each member of the group communication 
(mailing list, etc.) which changes dynamically. 

Also, according to the present invention, a Null-AID 
and an Enabler of Null-AID can be introduced in order to 

15 carry out the generation of a new PAT (MakePAT) and the 
merging of PATs (MergePAT) without giving the member AID 
and the Enabler of the member AID to the holder of the PAT, 
so that it becomes possible to prevent the pretending using 
the member AID. 

20 Also, according to the present invention, the Null-AID 

can be used only as the holder AID of the PAT (the Null-AID 
cannot be used as the member AID), that is PAT<AIDn u i i I 

AIDm e m b e r 1 , AIDm e ra b e r 2 , , ' AIDm etnberN> is allowed , but 

PAT<AIDh older | AIDn u 1 1 , AIDm eniberl , AIDm e m b e r 2 , , 

25 AIDm e m b e r N > is not allowed, so that the holder of 

PAT<AIDh older | AIDm e m b e r > cannot produce PAT<AIDN u 1 1 I 

AIDmember> from this PAT<AIDh older | AIDm e m b e r > as long as 

the holder does not know Enabler of AIDm e n b e r . 

Also, according to the present invention, a God-AID 
30 can be introduced in order to set up a read only attribute 
to the PAT, so that it becomes possible to fix the 
participants in the group communication. 

Also, according to the present invention, the link 
information for uniquely specifying the AID can be 
35 introduced and the PAT can be given in terms of the link 
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information such that the PAT does not contain the AID 
itself, so that it becomes possible to realize the 
receiving refusal function without using the AID itself. 
It is to be noted that, besides those already 
5 mentioned above, many modifications and variations of the 
above embodiments may be made without departing from the 
novel and advantageous features of the present invention. 
Accordingly, all such modifications and variations are 
intended to be included within the scope of the appended 
10 claims. 


20 


25 


30 


35 
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WHAT IS CLAIMED IS: 


1. A method of email access control, comprising the steps 
of: 

5 receiving a personalized access ticket containing a 

sender's identification and a recipient's identification in 
correspondence, which is presented by a sender who wishes 
to send an email to a recipient so as to specify the 
recipient as an intended destination of the email, at a 

10 secure communication service for connecting communications 
between the sender and the receiver; and 

controlling accesses between the sender and the 
recipient by verifying an access right of the sender with 
respect to the recipient according to the personalized 

15 access ticket at the secure communication service. 

2. The method of claim 1, wherein at the controlling step 
the secure communication service authenticates the 
personalized access ticket presented by the sender, and 

20 refuses a delivery of the email when the personalized 
access ticket presented by the sender has been altered. 

3. The method of claim 2, wherein the personalized access 
ticket is signed by a secret key of a secure processing 

25 device which issued the personalized access ticket, and at 
the controlling step the secure communication service 
authenticates the personalized access ticket by verifying a 
signature of the secure processing device in the 
personalized access ticket using a public key of the secure 

30 processing device. 

4. The method of claim 1, wherein at the receiving step 
the secure communication service also receives the sender f s 
identification presented by the sender along with the 

35 personalized access ticket, and at the controlling step the 
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secure communication service checks whether the sender's 
identification presented by the sender is contained in the 
personalized access ticket presented by the sender, and 
refuses a delivery of the email when the sender's 
5 identification presented by the sender is not contained in 
the personalized access ticket presented by the sender. 


5. The method of claim 1, wherein the personalized access 
ticket also contains a validity period indicating a period 

10 for which the personalized access ticket is valid, and at 
the controlling step the secure communication service 
checks the validity period contained in the personalized 
access ticket presented by the sender and refuses a 
delivery of the email when the personalized access ticket 

15 presented by the sender contains the validity period that 
has already been expired. 

6. The method of claim 5, wherein the validity period of 
the personalized access ticket is set by a trusted third 

20 party. 

7. The method of claim 1, further comprising the step of: 
issuing the personalized access ticket to the sender 

at a directory service for managing an identification of 
25 each registrant and a disclosed information of each 
registrant which has a lower secrecy than a personal 
information, in a state which is accessible for search by 
unspecified many, in response to search conditions 
specified by the sender, by using an identification of a 
30 registrant whose disclosed information matches the search 
conditions as the recipient's identification and the 
sender's identification specified by the sender along with 
the search conditions. 


35 8. The method of claim 1, further comprising the step of: 
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registering in advance the personalized access ticket 
containing an identification of a specific user from which 
a delivery of emails to a specific registrant is to be 
refused as the sender's identification and an 
5 identification of the specific registrant as the 

recipient's identification, at the secure communication 
service ; 

wherein the controlling step the secure communication 
service refuses a delivery of the email from the sender 
10 when the personalized access ticket presented by the sender 
is registered therein in advance at the registering step. 

9. The method of claim 8, further comprising the step of: 
deleting the personalized access ticket registered 

15 at the secure communication service upon request from the 
specific registrant who registered the personalized access 
ticket at the registering step. 

10. The method of claim 1, wherein the personalized access 
20 ticket also contains a transfer control flag indicating 

whether or not the sender should be authenticated by the 
secure communication service, and at the controlling step, 
when the transfer control flag contained in the 
personalized access ticket indicates that the sender should 
25 be authenticated, the secure communication service 

authenticates the sender's identification presented by the 
sender and refuses a delivery of the email when an 
authentication of the sender's identification fails, 

30 11. The method of claim 10, wherein the authentication of 
the sender's identification is realized by a 
challenge/response procedure between the sender and the 
secure communication service. 

35 12. The method of claim 10, wherein the transfer control 
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flag: of the personalized access ticket is set by a trusted 
third party. 

13. The method of claim 1, wherein the sender's 

5 identification and the recipient's identification in the 
personalized access ticket are given by real email 
addresses of the sender and the recipient. 

14. The method of claim 1, wherein the sender's 

10 identification and the recipient's identification in the 
personalized access ticket are given by anonymous 
identifications of the sender and the recipient, where an 
anonymous identification of each user contains at least one 
fragment of an official identification of each user by 

15 which each user is uniquely identifiable by a certification 
authority. 

15. The method of claim 14, wherein the anonymous 
identification of each user is an information containing 

20 the at least one fragment of the official identification of 
each user which is signed by the certification authority 
using a secret key of the certification authority. 

16. The method of claim 14, wherein the official 

25 identification of each user is a character string uniquely 
assigned to each user by the certification authority and a 
public key of each user which are signed by a secret key of 
the certification authority. 

30 17. The method of claim 14, further comprising the step 
of: 

probabilistically identifying an identity of the 
sender by reconstructing the official identification of the 
sender by judging identity of a plurality of anonymous 
35 identifications of the sender contained in a plurality of 


-126- 


personalized access tickets used by the sender. 

18. The method of claim 1, wherein an anonymous 
identification of each user that contains at least one 
5 fragment of an official identification of each user by 

which each user is uniquely identifiable by a certification 
authority and a link information of each anonymous 
identification by which each anonymous identification can 
be uniquely identified are defined, and the sender's 
10 identification and the recipient's identification in the 
personalized access ticket are given by a link information 
of the anonymous identification of the sender and a link 
information of the anonymous identification of the 
recipient . 

15 

19 • The method of claim 1, wherein the link information of 
each anonymous identification is an identifier uniquely 
assigned to each anonymous identification by the 
certification authority. 

20 

20. The method of claim 18, further comprising: the step 
of: 

probabilistically identifying an identity of the 
sender by reconstructing the official identification of the 
25 sender by judging identity of a plurality of anonymous 
identifications of the sender corresponding to the link 
information contained in a plurality of personalized access 
tickets used by the sender. 

30 21. The method of claim 1, wherein the personalized access 
ticket contains a single sender's identification and a 
single recipient's identification in 1-to-l correspondence. 

22. The method of claim 1, wherein the personalized access 
35 ticket contains a single sender's identification and a 
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plurality of recipient's identifications in 1-to-N 
correspondence, where N is an integer greater than 1. 


23. The method of claim 22, wherein one identification 

5 among the single sender's identification and the plurality 
of recipient's identifications is a holder identification 
for identifying a holder of the personalized access ticket 
while other identifications among the single sender's 
identification and the plurality of recipient's 
10 identifications are member identifications for identifying 
members of a group to which the holder belongs. 

24. The method of claim 23, further comprising the step 
of: 

issuing an identification of each user and an enabler 
of the identification of each user indicating a right to 
change the personalized access ticket containing the 
identification of each user as the holder identification, 
to each user at a certification authority, such that 
prescribed processing on the personalized access ticket can 
be carried out at a secure processing device only by a user 
who presented both the holder identification contained in 
the personalized access ticket and the enabler 
corresponding to the holder identification to the secure 
processing device. 

25. The method of claim 24, wherein the certification 
authority issues the enabler of the identification of each 
user as an information indicating that it is the enabler 

30 and the identification of each user itself which are signed 
by a secret key of the certification authority. 

26. The method of claim 24, wherein the prescribed 
processing includes a generation of a new personalized 

35 access ticket, a merging of a plurality of personalized 


15 
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access tickets, a splitting of one personalized access 
ticket into a plurality of personalized access tickets, a 
changing of the holder of the personalized access ticket, 
changing of a validity period of the personalized access 
5 ticket, and a changing of a transfer control flag of the 
personalized access ticket. 

27. The method of claim 26, wherein a special 
identification and a special enabler corresponding to the 

10 special identification which are known to all users are 
defined such that the generation of a new personalized 
access ticket and the changing of the holder of the 
personalized access ticket can be carried out by the holder 
5 of the personalized access ticket by using the special 

f*t' 15 identification and the special enabler without using an 

enabler of a member identification. 

28. The method of claim 27, wherein the special 

* identification is defined to be capable of being used only 

iTs 20 as the holder identification of the personalized access 

W ticket. 

s. (Ji 

M3 29. The method of claim 26, wherein a special 

identification which is known to all users is defined such 
25 that a read only attribute can be set to the personalized 
access ticket by using the special identification. 

30. The method of claim 1, wherein at the controlling 
step, when the access right of the sender with respect to 

30 the recipient is verified according to the personalized 
access ticket, the secure communication service takes out 
the recipients identification from the personalized access 
ticket by using the sender's identification presented by 
the sender, converts the mail by using a taken out 

35 recipient's identification into a format that can be 
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interpreted by a mail transfer function for actually 
carrying out a mail delivery processing, and gives the mail 
after conversion to the mail transfer function by attaching 
the personalized access ticket. 

31. A method of email access control, comprising the steps 
of: 

defining an official identification of each user by 
which each user is uniquely identifiable by a certification 
authority, and an anonymous identification of each user 
containing at least one fragment of the official 
identification ; and 

identifying each user by the anonymous identification 
of each user in communications for emails on a 
communication network. 

32. The method of claim 31, wherein the anonymous 
identification of each user is an information containing 
the at least one fragment of the official identification of 
each user which is signed by the certification authority 
using a secret key of the certification authority. 

33. The method of claim 31, wherein the official 
identification of each user is a character string uniquely 
assigned to each user by the certification authority and a 
public key of each user which are signed by a secret key of 
the certification authority. 

34. The method of claim 31, further comprising the steps 
of: 

receiving a personalized access ticket containing a 
sender's anonymous identification and a recipient's 
anonymous identification in correspondence, which is 
presented by a sender who wishes to send an email to a 
recipient so as to specify the recipient as an intended 
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destination of the email, at a secure communication service 
for connecting communications between the sender and the 
receiver; and 

controlling accesses between the sender and the 
5 recipient by verifying an access right of the sender with 
respect to the recipient according to the personalized 
access ticket at the secure communication service. 

35. The method of claim 34, further comprising the step 
10 of: 

probabilistically identifying an identity of the 
sender at the secure communication service by 
□ reconstructing the official identification of the sender 

Jrf while judging identity of a plurality of anonymous 

*u 15 identifications of the sender contained in a plurality of 

^" personalized access tickets used by the sender. 

!?»= 

" 4 36. The method of claim 31, wherein the defining step also 

Q defines a link information of each anonymous identification 

20 by which each anonymous identification can be uniquely 
m identified, and each anonymous identification also contains 

*0 the link information of each anonymous identification. 

37. The method of claim 36, wherein the link information 
25 of each anonymous identification is an identifier uniquely 

assigned to each anonymous identification by the 
certification authority. 

38. The method of claim 36, further comprising the steps 
30 of: 

receiving a personalized access ticket containing a 
link information of a sender 's anonymous identification and 
a link information of a recipient's anonymous 
identification in correspondence, which is presented by a 
35 sender who wishes to send an email to a recipient so as to 
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specify the recipient as an intended destination of the 
email, at a secure communication service for connecting: 
communications between the sender and the receiver; and 
controlling* accesses between the sender and the 
5 recipient by verifying an access right of the sender with 
respect to the recipient according to the personalized 
access ticket at the secure communication service. 

39. The method of claim 38, further comprising the step 
10 of: 

probabilistically identifying an identity of the 
sender by reconstructing the official identification of the 
sender while judging identity of a plurality of anonymous 
identifications of the sender corresponding to the link 
15 information contained in a plurality of personalized access 
tickets used by the sender. 

40. A communication system realizing email access control, 
comprising: 

20 a communication network to which a plurality of user 

terminals are connected; and 

a secure communication service device for connecting 
communications between the sender and the receiver on the 
communication network, by receiving a personalized access 

25 ticket containing a sender's identification and a 

recipient's identification in correspondence, which is 
presented by a sender who wishes to send an email to a 
recipient so as to specify the recipient as an intended 
destination of the email, and controlling accesses between 

30 the sender and the recipient by verifying an access right 
of the sender with respect to the recipient according to 
the personalized access ticket, 

41. The system of claim 40, wherein the secure 

35 communication service device authenticates the personalized 
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access ticket presented by the sender, and refuses a 
delivery of the email when the personalized access ticket 
presented by the sender has been altered. 


5 42. The system of claim 41, further comprising: 
a secure processing* device for issuing the 
personalized access ticket which is signed by a secret key 
of the secure processing device; 

wherein the secure communication service device 
10 authenticates the personalized access ticket by verifying a 
signature of the secure processing device in the 
personalized access ticket using a public key of the secure 
processing device. 

15 43. The system of claim 40, wherein the secure 

communication service device also receives the sender's 
identification presented by the sender along with the 
personalized access ticket, checks whether the sender's 
identification presented by the sender is contained in the 

20 personalized access ticket presented by the sender, and 
refuses a delivery of the email when the sender's 
identification presented by the sender is not contained in 
the personalized access ticket presented by the sender. 

25 44. The system of claim 40, wherein the personalized 

access ticket also contains a validity period indicating a 
period for which the personalized access ticket is valid, 
and the secure communication service device checks the 
validity period contained in the personalized access ticket 

30 presented by the sender and refuses a delivery of the email 
when the personalized access ticket presented by the sender 
contains the validity period that has already been expired. 

45. The system of claim 44, further comprising: 
35 a trusted third party for setting the validity period 
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of the personalized access ticket. 

46. The system of claim 40, further comprising: 
a directory service device for managing an 

5 identification of each registrant and and a disclosed 
information of each registrant which has a lower secrecy 
than a personal information, in a state which is accessible 
for search by unspecified many, and issuing the 
personalized access ticket to the sender in response to 
10 search conditions specified by the sender, by using an 

identification of a registrant whose disclosed information 
matches the search conditions as the recipient's 
identification and the sender's identification specified by 
the sender along with the search conditions. 

15 

47. The system of claim 40, wherein the secure 
communication service device registers in advance the 
personalized access ticket containing an identification of 
a specific user from which a delivery of emails to a 

20 specific registrant is to be refused as the sender's 
identification and an identification of the specific 
registrant as the recipient's identification, and refuses a 
delivery of the email from the sender when the personalized 
access ticket presented by the sender is registered therein 

25 in advance, 

48. The system of claim 47, wherein the secure 
communication service device deletes the personalized 
access ticket registered therein upon request from the 

30 specific registrant who registered the personalized access 
ticket . 

49. The system of claim 40, wherein the personalized 
access ticket also contains a transfer control flag 

35 indicating whether or not the sender should be 
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authenticated by the secure communication service, and when 
the transfer control flag contained in the personalized 
access ticket indicates that the sender should be 
authenticated, the secure communication service device 
5 authenticates the sender's identification presented by the 
sender and refuses a delivery of the email when an 
authentication of the sender's identification fails. 

50. The system of claim 49, wherein the authentication of 
10 the sender's identification is realized by a 

challenge/response procedure between the sender and the 
secure communication service device. 

51. The system of claim 49, further comprising a trusted 
15 third party for setting the transfer control flag of the 

personalized access ticket. 

52. The system of claim 40, wherein the sender's 
identification and the recipient's identification in the 

20 personalized access ticket are given by real email 
addresses of the sender and the recipient. 

53. The system of claim 40, further comprising: 

a certification authority device for issuing an 
25 anonymous identification of each user which contains at 
least one fragment of an official identification of each 
user by which each user is uniquely identifiable by the 
certification authority device; 

wherein the sender's identification and the 
30 recipient's identification in the personalized access 

ticket are given by anonymous identifications of the sender 
and the recipient. 

54. The system of claim 53, wherein the anonymous 

35 identification of each user is an information containing 
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the at least one fragment of the official identification of 
each user which is signed by the certification authority 
device using a secret key of the certification authority 
device . 

5 

55. The system of claim 53, wherein the official 
identification of each user is a character string uniquely 
assigned to each user by the certification authority device 
and a public key of each user which are signed by a secret 

10 key of the certification authority device. 

56. The system of claim 53, wherein the secure 
communication service device probabilistically identifies 
an identity of the sender by reconstructing the official 

15 identification of the sender while judging identity of a 
plurality of anonymous identifications of the sender 
contained in a plurality of personalized access tickets 
used by the sender. 

20 57. The system of claim 40, further comprising: 

a certification authority device for issuing an 

anonymous identification of each user which contains at 

least one fragment of an official identification of each 

user by which each user is uniquely identifiable by the 
25 certification authority device and a link information of 

each anonymous identification by which each anonymous 

identification can be uniquely identified; 

wherein the sender's identification and the 

recipients identification in the personalized access 
30 ticket are given by a link information of the anonymous 

identification of the sender and a link information of the 

anonymous identification of the recipient. 

58. The system of claim 57, wherein the link information 
35 of each anonymous identification is an identifier uniquely 
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assigned to each anonymous identification by the 
certification authority device. 

59. The system of claim 57, wherein the secure 

5 communication service device probabilistically identifies 
an identity of the sender by reconstructing- the official 
identification of the sender while judging* identity of a 
plurality of anonymous identifications of the sender 
corresponding to the link information contained in a 
10 plurality of personalized access tickets used by the 
sender . 

60. The system of claim 40, wherein the personalized 
access ticket contains a single sender's identification and 

15 a single recipient's identification in 1-to-l 
correspondence . 

61. The system of claim 40, wherein the personalized 
access ticket contains a single sender's identification and 

20 a plurality of recipient's identifications in 1-to-N 
correspondence, where N is an integer greater than 1. 

62. The system of claim 61, wherein one identification 
among the single sender's identification and the plurality 

25 of recipient's identifications is a holder identification 
for identifying a holder of the personalized access ticket 
while other identifications among the single sender's 
identification and the plurality of recipient's 
identifications are member identifications for identifying 

30 members of a group to which the holder belongs. 

63. The system of claim 62, further comprising: 

a certification authority device for issuing to each 
user an identification of each user and an enabler of the 
35 identification of each user indicating a right to change 
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the personalized access ticket containing- the 
identification of each user as the holder identification; 
and 

a secure processing device at which prescribed 
5 processing on the personalized access ticket can be carried 
out only by a user who presented both the holder 
identification contained in the personalized access ticket 
and the enabler corresponding to the holder identification 
to the secure processing device. 

10 

64. The system of claim 63, wherein the certification 
authority device issues the enabler of the identification 
of each user as an information indicating that it is the 
enabler and the identification of each user itself which 

15 are signed by a secret key of the certification authority 
device . 

65. The system of claim 63, wherein the prescribed 
processing includes a generation of a new personalized 
access ticket, a merging of a plurality of personalized 
access tickets, a splitting of one personalized access 
ticket into a plurality of personalized access tickets, a 
changing of the holder of the personalized access ticket, 
changing of a validity period of the personalized access 
ticket, and a changing of a transfer control flag of the 
personalized access ticket. 

66. The system of claim 65, wherein a special 
identification and a special enabler corresponding to the 

30 special identification which are known to all users are 
defined such that the generation of a new personalized 
access ticket and the changing of the holder of the 
personalized access ticket can be carried out by the holder 
of the personalized access ticket by using the special 

35 identification and the special enabler without using an 
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enabler of a member identification. 

67. The system of claim 66, wherein the special 
identification is defined to be capable of being used only 

5 as the holder identification of the personalized access 
ticket . 

68. The system of claim 65, wherein a special 
identification which is known to all users is defined such 

10 that a read only attribute can be set to the personalized 
access ticket by using- the special identification. 

69. The system of claim 40, wherein when the access right 
of the sender with respect to the recipient is verified 

15 according to the personalized access ticket, the secure 
communication service device takes out the recipient's 
identification from the personalized access ticket by using 
the sender's identification presented by the sender, 
converts the mail by using a taken out recipient's 

20 identification into a format that can be interpreted by a 
mail transfer function for actually carrying out a mail 
delivery processing, and gives the mail after conversion to 
the mail transfer function by attaching the personalized 
access ticket. 

25 

70. A communication system realizing email access control, 
comprising: 

a certification authority device for defining an 
official identification of each user by which each user is 
30 uniquely identifiable by the certification authority 

device, and an anonymous identification of each user which 
contains at least one fragment of the official 
identification; and 

a communication network on which each user is 
35 identified by the anonymous identification of each user in 
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communications for emails on the communication network. 

71. The system of claim 70, wherein the anonymous 
identification of each user is an information containing 
5 the at least one fragment of the official identification of 
each user which is signed by the certification authority 
device using a secret key of the certification authority 
device . 

72* The system of claim 70, wherein the official 
identification of each user is a character string uniquely 
assigned to each user by the certification authority device 
and a public key of each user which are signed by a secret 
key of the certification authority device. 

73. The system of claim 70, further comprising: 
a secure communication service device for connecting 

communications between the sender and the receiver on the 
communication network, by receiving a personalized access 
ticket containing a sender ' s . anonymous identification and a 
recipient's anonymous identification in correspondence, 
which is presented by a sender who wishes to send an email 
to a recipient so as to specify the recipient as an 
intended destination of the email, and controlling accesses 
between the sender and the recipient by verifying an access 
right of the sender with respect to the recipient according 
to the personalized access ticket. 

74. The system of claim 73, wherein the secure 

30 communication service device probabilistically identifies 
an identity of the sender by reconstructing the official 
identification of the sender while judging identity of a 
plurality of anonymous identifications of the sender 
contained in a plurality of personalized access tickets 

35 used by the sender. 
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75. The system of claim 70, wherein the certification 
authority device also defines a link information of each 
anonymous identification by which each anonymous 

5 identification can be uniquely identified, and each 

anonymous identification also contains the link information 
of each anonymous identification. 

76. The system of claim 75, wherein the link information 
10 of each anonymous identification is an identifier uniquely 

assigned to each anonymous identification by the 
certification authority device. 

77. The system of claim 75, further comprising: 

15 a secure communication service device for connecting 

communications between the sender and the receiver on the 
communication network, by receiving a personalized access 
ticket containing a link information of a sender's 
anonymous identification and a link information of a 

20 recipient's anonymous identification in correspondence, 

which is presented by a sender who wishes to send an email 
to a recipient so as to specify the recipient as an 
intended destination of the email, and controlling accesses 
between the sender and the recipient by verifying an access 

25 right of the sender with respect to the recipient according 
to the personalized access ticket. 

78. The system of claim 77, wherein the secure 
communication service device probabilistically identifies 

30 an identity of the sender by reconstructing the official 
identification of the sender while judging identity of a 
plurality of link informations of anonymous identifications 
of the sender contained in a plurality of personalized 
access tickets used by the sender. 
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79. A secure communication service device for use in a 
communication system realizing email access control, 
comprising : 

a computer hardware; and 
5 a computer software for causing the computer hardware 

to connect communications between the sender and the 
receiver, by receiving a personalized access ticket 
containing a sender's identification and a recipient's 
identification in correspondence, which is presented by a 

10 sender who wishes to send an email to a recipient so as to 
specify the recipient as an intended destination of the 
email, and controlling accesses between the sender and the 
recipient by verifying an access right of the sender with 
respect to the recipient according to the personalized 

15 access ticket. 

80. The secure communication service device of claim 79, 
wherein the computer software causes the computer hardware 
to authenticate the personalized access ticket presented by 

20 the sender, and refuse a delivery of the email when the 

personalized access ticket presented by the sender has been 
altered. 

81. The secure communication service device of claim 80, 
25 wherein the personalized access ticket is signed by a 

secret key of a secure processing device which issued the 
personalized access ticket, and the computer software 
causes the computer hardware to authenticate the 
personalized access ticket by verifying a signature of the 
30 secure processing device in the personalized access ticket 
using a public key of the secure processing device. 

82. The secure communication service device of claim 79, 
wherein the computer software causes the computer hardware 

35 to also receive the sender's identification presented 


-142- 


by the sender along with the personalized access ticket, 
check whether the sender's identification presented by the 
sender is contained in the personalized access ticket 
presented by the sender, and refuse a delivery of the email 
5 when the sender's identification presented by the sender is 
not contained in the personalized access ticket presented 
by the sender* 

83. The secure communication service device of claim 79, 
10 wherein the personalized access ticket also contains a 

validity period indicating a period for which the 
personalized access ticket is valid, and the computer 
software causes the computer ' hardware to check the validity 
period contained in the personalized access ticket 
15 presented by the sender and refuse a delivery of the email 
when the personalized access ticket presented by the sender 
contains the validity period that has already been expired. 

84. The secure communication service device of claim 79, 
20 wherein the computer software causes the computer hardware 

to register in advance the personalized access ticket 
containing an identification of a specific user from which 
a delivery of emails to a specific registrant is to be 
refused as the sender's identification and an 

25 identification of the specific registrant as the 

recipient's identification, at the secure communication 
service device, and refuse a delivery of the email from the 
sender when the personalized access ticket presented by the 
sender is registered at the secure communication service 

30 device in advance. 

85. The secure communication service device of claim 84, 
wherein the computer software causes the computer hardware 
to delete the personalized access ticket registered at the 

35 secure communication service device upon request from the 


-143- 


specific registrant who registered the personalized access 
ticket . 

86. The secure communication service device of claim 79, 
5 wherein the personalized access ticket also contains a 

transfer control flag- indicating whether or not the sender 
should be authenticated by the secure communication 
service device, and when the transfer control flag 
contained in the personalized access ticket indicates that 
10 the sender should be authenticated, the computer software 
causes the computer hardware to authenticate the sender's 
identification presented by the sender and refuse a 
delivery of the email when an authentication of the 
sender's identification fails. 

15 

87. The secure communication service device of claim 86, 
wherein the computer software causes the computer hardware 
to realize the authentication of the sender's 
identification by a challenge/response procedure between 

20 the sender and the secure communication service device. 

88. The secure communication service device of claim 79, 
wherein the sender's identification and the recipient's 
identification in the personalized access ticket are given 

25 by anonymous identifications of the sender and the 

recipient, where an anonymous identification of each user 
contains at least one fragment of an official 
identification of each user by which each user is uniquely 
identifiable by a certification authority, and the computer 

30 software also causes the computer hardware to 

probabilistically identify an identity of the sender by 
reconstructing the official identification of the sender by 
judging identity of a plurality of anonymous 
identifications of the sender contained in a plurality of 

35 personalized access tickets used by the sender. 
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89. The secure communication service device of claim 79, 
wherein an anonymous identification of each user that 
contains at least one fragment of an official 
5 identification of each user by which each user is uniquely 
identifiable by a certification authority and a link 
information of each anonymous identification by which each 
anonymous identification can be uniquely identified are 
defined, the sender's identification and the recipient's 
10 identification in the personalized access ticket are given 
by a link information of the anonymous identification of 
the sender and a link information of the anonymous 
identification of the recipient, and the computer software 
also causes the computer hardware to probabilistically 
15 identify an identity of the sender by reconstructing the 
official identification of the sender by judging identity 
of a plurality of anonymous identifications of the sender 
corresponding to the link information contained in a 
plurality of personalized access tickets used by the 
20 sender. 

90. The secure communication service device of claim 79, 
wherein when the access right of the sender with respect to 
the recipient is verified according to the personalized 

25 access ticket, the computer software causes the computer 
hardware to take out the recipient's identification from 
the personalized access ticket by using the sender's 
identification presented by the sender, convert the mail by 
using a taken out recipient's identification into a format 

30 that can be interpreted by a mail transfer function for 

actually carrying out a mail delivery processing, and give 
the mail after conversion to the mail transfer function by 
attaching the personalized access ticket. 

35 91. A secure processing device for use in a communication 


-145- 


system realizing email access control, comprising: 
a computer hardware; and 

a computer software for causing the computer hardware 
to receive a request for a personalized access ticket from 
5 a user, and issue a personalized access ticket containing a 
sender's identification and a recipient's identification in 
correspondence, which is signed by a secret key of the 
secure processing device. 

10 92. A directory service device for use in a communication 
system realizing email access control, comprising: 
a computer hardware; and 

a computer software for, causing the computer hardware 
to manage an identification of each registrant and a 

15 disclosed information of each registrant which has a lower 
secrecy than a personal information, in a state which is 
accessible for search by unspecified many, and issue a 
personalized access ticket containing a sender's 
identification and a recipient's identification in 

20 correspondence, to the sender in response to search 
conditions specified by the sender, by using an 
identification of a registrant whose disclosed information 
matches the search conditions as the recipient's 
identification and the sender's identification specified by 

25 the sender along with the search conditions. 

93. A certification authority device for use in a 
communication system realizing email access control, 
comprising: 

30 a computer hardware; and 

a computer software for causing the computer hardware 
to issue to each user an official identification of each 
user by which each user is uniquely identifiable by the 
certification authority device, and an anonymous 

35 identification of each user which contains at least one 
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fragment of the official identification. 

94. A certification authority device for use in a 
communication system realizing email access control, 

5 comprising: 

a computer hardware; and 

a computer software for causing the computer hardware 
to issue to each user an identification of each user and an 
enabler of the identification of each user indicating a 

10 right to change any personalized access ticket that 
contains the identification of each user as a holder 
identification, where the persnalized access ticket 
generally contains a sender's identification and a 
plurality of recipient's identifications in correspondence, 

15 and one of the sender's identification and the recipient's 
identifications is a holder identification. 

95. A secure processing device for use in a communication 
system realizing email access control, comprising: 

20 a computer hardware; and 

a computer software for causing the computer hardware 
to receive from a user a request for prescribed processing 
on a personalized access ticket containing a sender's 
identification and a plurality of recipient's 

25 identifications in correspondence, where one of the 

sender's identification and the recipient's identifications 
is a holder identification, and execute the prescribed 
processing on the personalized access ticket when the user 
presented both the holder identification contained in the 

30 personalized access ticket and an enabler corresponding to 
the holder identification which indicates a right to change 
the personalized access ticket containing the 
identification of the user as the holder identification. 

35 96. A computer usable medium having computer readable 
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program code means embodied therein for causing a computer 
to function as a secure communication service device for 
use in a communication system realizing email access 
control, the computer readable program code means includes: 
5 first computer readable program code means for causing 

said computer to receive a personalized access ticket 
containing a sender's identification and a recipient's 
identification in correspondence, which is presented by a 
sender who wishes to send an email to a recipient so as to 
10 specify the recipient as an intended destination of the 
email; and 

second computer readable program code means for 
causing said computer to control accesses between the 
sender and the recipient by verifying an access right of 
15 the sender with respect to the recipient according to the 
personalized access ticket, so as to connect communications 
between the sender and the receiver on the communication 
network, 

20 97. The computer usable medium of claim 96, the second 

computer readable program code means causes said computer 
to authenticate the personalized access ticket presented by 
the sender, and refuse a delivery of the email when the 
personalized access ticket presented by the sender has been 

25 altered. 

98. The computer usable medium of claim 97, wherein the 
personalized access ticket is signed by a secret key of a 
secure processing device which issued the personalized 
30 access ticket, and the second computer readable program 
code means causes said computer to authenticate the 
personalized access ticket by verifying a signature of the 
secure processing device in the personalized access ticket 
using a public key of the secure processing device. 

35 

-148- 


99. The computer usable medium of claim 96, wherein the 
first computer readable prog-ram code means causes said 
computer to also receive the sender's identification 
presented by the sender along with the personalized access 

5 ticket, and the second computer readable program code means 
causes said computer to check whether the sender's 
identification presented by the sender is contained in the 
personalized access ticket presented by the sender and 
refuse a delivery of the email when the sender's 
10 identification presented by the sender is not contained in 
the personalized access ticket presented by the sender. 

100. The computer usable medium of claim 96, wherein the 
personalized access ticket also contains a validity period 

15 indicating a period for which the personalized access 

ticket is valid, and the second computer readable program 
code means causes said computer to check the validity 
period contained in the personalized access ticket 
presented by the sender and refuse a delivery of the email 

20 when the personalized access ticket presented by the sender 
contains the validity period that has already been expired. 

101. The computer usable medium of claim 96, wherein the 
second computer readable program code means causes said 

25 computer to register in advance the personalized access 

ticket containing an identification of a specific user from 
which a delivery of emails to a specific registrant is to 
be refused as the sender's identification and an 
identification of the specific registrant as the 

30 recipient's identification, at the secure communication 

service device, and refuse a delivery of the email from the 
sender when the personalized access ticket presented by the 
sender is registered at the secure communication service 
device in advance. 
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102. The computer usable medium of claim 101, wherein the 
second computer readable program code means causes said 
computer to delete the personalized access ticket 
registered at the secure communication service device upon 

5 request from the specific registrant who registered the 
personalized access ticket. 

103. The computer usable medium of claim 96, wherein the 
personalized access ticket also contains a transfer control 

10 flag indicating whether or not the sender should be 

authenticated by the secure communication service device, 
and when the transfer control flag contained in the 
personalized access ticket indicates that the sender should 
be authenticated, the second computer readable program code 

15 means causes said computer to authenticate the sender's 
identification presented by the sender and refuse a 
delivery of the email when an authentication of the 
sender's identification fails. 

20 104. The computer usable medium of claim 103, wherein the 
second computer readable program code means causes said 
computer to realize the authentication of the sender's 
identification by a challenge/response procedure between 
the sender and the secure communication service device. 

25 

105. The computer usable medium of claim 96, wherein the 
sender's identification and the recipient's identification 
in the personalized access ticket are given by anonymous 
identifications of the sender and the recipient, where an 

30 anonymous identification of each user contains at least one 
fragment of an official identification of each user by 
which each user is uniquely identifiable by a certification 
authority, and the second computer readable program code 
means also causes said computer to probabilistically 

35 identify an identity of the sender by reconstructing the 
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official identification of the sender by judging identity 
of a plurality of anonymous identifications of the sender 
contained in a plurality of personalized access tickets 
used by the sender. 

5 

106. The computer usable medium of claim 96, wherein an 
anonymous identification of each user that contains at 
least one fragment of an official identification of each 
user by which each user is uniquely identifiable by a 

10 certification authority and a link information of each 
anonymous identification by which each anonymous 
identification can be uniquely identified are defined, the 
sender's identification and the recipient's identification 
in the personalized access ticket are given by a link 

15 information of the anonymous identification of the sender 
and a link information of the anonymous identification of 
the recipient, and the second computer readable program 
code means also causes said computer to probabilistically 
identify an identity of the sender by reconstructing the 

20 official identification of the sender by judging identity 
of a plurality of anonymous identifications of the sender 
corresponding to the link information contained in a 
plurality of personalized access tickets used by the 
sender . 

25 

107. The computer usable medium of claim 96, wherein when 
the access right of the sender with respect to the 
recipient is verified according to the personalized access 
ticket, the second computer readable program code means 

30 causes said computer to take out the recipient's 

identification from the personalized access ticket by using 
the sender's identification presented by the sender, 
convert the mail by using a taken out recipient's 
identification into a format that can be interpreted by a 

35 mail transfer function for actually carrying out a mail 
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delivery processing, and give the mail after conversion to 
the mail transfer function by attaching- the personalized 
access ticket. 

5 108. A computer usable medium having computer readable 

program code means embodied therein for causing a computer 
to function as a secure processing device for use in a 
communication system realizing email access control, the 
computer readable program code means includes: 
10 first computer readable - program code means for causing 

said computer to receive a request for a personalized 
access ticket from a user; and 

second computer readable program code means for 
causing said computer to issue the personalized access 
15 ticket containing a sender T s r identification and a 

recipient's identification in correspondence, which is 
signed by a secret key of the secure processing device. 

109. A computer usable medium having computer readable 
program code means embodied therein for causing a computer 
to function as a directory service devicer for use in a 
communication system realizing email access control, the 
computer readable program code means includes: 

first computer readable program code means for causing 
said computer to manage an identification of each 
registrant and a disclosed information of each registrant 
which has a lower secrecy than a personal information, in a 
state which is accessible for search by unspecified many, 
and 

second computer readable program code means for 
causing said computer to issue a personalized access ticket 
containing a sender's identification and a recipient's 
identification in correspondence, to the sender in response 
to search conditions specified by the sender, by using an 
identification of a registrant whose disclosed information 
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matches the search conditions as the recipient's 
identification and the sender's identification specified by 
the sender along with the search conditions. 


5 110. A computer usable medium having computer readable 

program code means embodied therein for causing- a computer 
to function as a certification authority device for use in 
a communication system realizing" email access control, the 
computer readable program code means includes: 

10 first computer readable program code means for causing 

said computer to issue to each user an official 
identification of each user by which each user is uniquely 
identifiable by the certification authority device; and 
second computer readable program code means for 

15 causing said computer to issue to each user an anonymous 
identification of each user which contains at least one 
fragment of the official identification. 

111. A computer usable medium having computer readable 

20 program code means embodied therein for causing a computer 
to function as a certification authority device for use in 
a communication system realizing email access control, the 
computer readable program code means includes: 

first computer readable program code means for causing 

25 said computer to issue to each user an identification of 
each user; and 

second computer readable program code means for 
causing said computer to issue to each user an enabler of 
the identification of each user indicating a right to 

30 change any personalized access ticket that contains the 
identification of each user as a holder identification, 
where the persnalized access ticket generally contains a 
sender's identification and a plurality of recipient's 
identifications in correspondence, and one of the sender's 

35 identification and the recipient's identifications is a 
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holder identification . 

112. A computer usable medium having- computer readable 
program code means embodied therein for causing a computer 
5 to function as a secure processing device for use in a 
communication system realizing email access control, the 
computer readable program code means includes: 

first computer readable program code means for causing 
said computer to receive from a user a request for 

10 prescribed processing on a personalized access ticket 
containing a sender's identification and a plurality of 
recipient's identifications in correspondence, where one of 
the sender's identification and the recipient's 
identifications is a holder identification; and 

15 second computer readable program code means for 

causing said computer to execute the prescribed processing 
on the personalized access ticket when the user presented 
both the holder identification contained in the 
personalized access ticket and an enabler corresponding to 

20 the holder identification which indicates a right to change 
the personalized access ticket containing the 
identification of the user as the holder identification. 


30 


35 
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ABSTRACT OF THE DISCLOSURE 


An email access control scheme capable of resolving 
problems of the real email address and enabling- a unique 
5 identification of the identity of the user while concealing 
the user identification is disclosed. A personalized access 
ticket containing a sender's identification and a 
recipient's identification in correspondence is to be 
presented by a sender who wishes to send an email to a 

10 recipient so as to specify the recipient as an intended 

destination of the email. Then, accesses between the sender 
and the recipient by verifying an access right of the 
sender with respect to the recipient according to the 
personalized access ticket at a secure communication 

15 service. Also, an official identification of each user by 
which each user is uniquely identifiable by a certification 
authority, and an anonymous identification of each user 
containing at least one fragment of the official 
identification are defined, and each user is identified by 

20 the anonymous identification of each user in communications 
for emails on a communication network. 
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I hereby claim the benefit under Title 35, United States Code, Sec. 120 of any United States application(s) listed in PART C 
of page 2 hereof and, insofar as the subject matter of each of the claims of this application is not disclosed in the prior United 
States application in the manner provided by the first paragraph of Title 35, United States Code, Sec. 112, 1 acknowledge the 
duty to disclose all information to the Patent and Trademark Office known to me to be material to patentability of this 
application, as defined in Title 37, Code of Federal Regulations, Sec. 1,56, which became available between the filing date 
of the prior application and the national or PCT international filing date of this application. 

I hereby declare that all statements made herein of my knowledge are true and that all statements made on information and 
belief are believed to be true; and further that these statements were made with the knowledge that willful false statements and 
the like so made are punishable by fine or imprisonment, or both, under Section 1001 of Title 18 of the United States Code 
and that such willful false statements may jeopardize the validity of the application or any patent issued thereon. 

I hereby appoint the following as my attorneys or agents with full power of substitution to prosecute this application and 
transact all business in the United States Patent and Trademark Office connected therewith: 

Anthony B. Askew - 24,154; Roger T. Frost - 22,176; Jeffrey E. Young - 28,490; 
Robert E. Richards - 29,105; John R. Harris - 30,388; Stephen M. Schaetzel -31,418; Larry A. Roberts - 31,871; Thomas A. Hodge, - 
22,602; Charles L. Warner II - 32,320; Gregory T Gronholm - 32,415; Dale Lischer - 28,438; Peter G. Pappas - 33,205; James Dean 
Johnson - 31,771; Nora M. Tocups - 35,717; W. Scott Petty - 35,645; Daniel J. Warren - 34,272; Hubert J. Barnhardt III - 36,739; 
Virginia L. Carron - 37,110; Leona G. Young - 37,266; Jamie L. Greene-32,467; William A. Hartselle - 36,548; Holmes J. Hawkins III - 
38,913; Mary Anthony Merchant - 39,771; Michael J. Mehrman - 40,086; William L. Warren - 36,714; Felipe J. Farley - 38,445; F. 
Leslie Bessenger III - 39,108; James A. Witherspoon - 36,723; Brenda M. Ozaki - 40,339; James D. Withers - 40,376; M. Todd Mitchem - 
P40/731; Gregory S. Smith - P40.819. 


whose mailing address for this application is: JONES & ASKEW, LLP 

191 Peachtree St., N.E., 37th Fl. 
Atlanta, GA 30303-1769 

Direct telephone calls (404)818-3700to: 
Roger T. Frost 


See Page 2 attached, signed, and made, a part hereof. 
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J&A 13700-0190 

PATENT APPLICATION, DECLARATION AND POWER OF ATTORNEY 

PART A: Inventor Information and Signature 


Full name of SOLE or FIRST inventor Yusuke HISADA 

Citizenship Japan Residence c/o NIPPON TELEGRAPH AND TELEPHONE CORPOR ATION 

20-2 r Nishi-Shinjuku 3-chome, Shinj uku-ku r Tokyo 163-1419 Japan ' 

Post Office Address (If different) 


Inventor's signature: f*^U<teu /^^^^ Date: March 19, 1999 


Satoshi ONO 


Full name of SECOND" joint inventor, if any 

Citizenship Japan Residence c/o NIPPON TELEGRAPH AND TELEPHONE CORPORATION 

2 0-2 , Nishi- Shinj uku 3 -chome, Shin j uku-ku, Tokyo 1 63-1 41 9 Jap an 
Post Office Address (If different) 


Second Inventor's signature: dfjt&sJil &¥i & Date: M ^rch 19, 1999 


it n fTUTDn . . , . f , Haruhisa ICHIKAWA 

Full name of THIRD joint inventor, if any 


Citizenship Japan Residence c/o NIPPON TELEGRAPH AND TETYEPHniSTR POT? POT? AT 1 TOM 

2 0~2,Nishi-Shinjuku 3 -chome r Shini uku-ku , Tokyo 1 63-1 41 9 Japan 

Post Office Address (If different) 


Third Inventor's signature: 


kiasridks* r Qc^tk^^r^ Date: 19, 


PART B: Prior Foreign Application(s) 
Serial No. Country 
P1 0-79837 Japan 


P1 0-1 71 930 
P1 0-224861 
P1 0-31 51 72 


J'apan 
Japan 
Japan 


Dav/Month/Year Filed 
26/03/1 998 
18/06/1998 
07/08/1 998 
05/11 /1 998 


Priority Claimed 

JL Yes No 

V Yes 

V Yes 

V Yes 


PART C: Claim for Benefit of Filing Date of Earlier U.S. Application(s) 
Serial No, Filing Date Status: 


Patented Pending 

Patented Pending Abandoned 

Patented Pending Abandoned 


See Page 3 attached and made a part hereof. 


